Lissy93/dashy
1
1
Fork 0
mirror of https://github.com/Lissy93/dashy.git synced 2024-12-11 10:05:50 +03:00
Code Issues Packages Projects Releases Wiki Activity

🔀 Merge pull request #896 from Cereal916/localStorageExploitFix

Browse Source 
Set user in localStorage when matching auth token is found. When chec…
This commit is contained in:
Alicia Sykes 2022-09-11 22:41:45 +01:00 committed by GitHub
commit 933fb9c4d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/utils/Auth.js
View File

@ -54,18 +54,20 @@ const generateUserToken = (user) => {
*/ */
export const isLoggedIn = () => { export const isLoggedIn = () => {
const users = getUsers(); const users = getUsers();
const validTokens = users.map((user) => generateUserToken(user)); let userAuthenticated = document.cookie.split(';').some((cookie) => {
let userAuthenticated = false;
document.cookie.split(';').forEach((cookie) => {
if (cookie && cookie.split('=').length > 1) { if (cookie && cookie.split('=').length > 1) {
const cookieKey = cookie.split('=')[0].trim(); const cookieKey = cookie.split('=')[0].trim();
const cookieValue = cookie.split('=')[1].trim(); const cookieValue = cookie.split('=')[1].trim();
if (cookieKey === cookieKeys.AUTH_TOKEN) { if (cookieKey === cookieKeys.AUTH_TOKEN) {
if (validTokens.includes(cookieValue)) { userAuthenticated = users.some((user) => {
userAuthenticated = true; if (generateUserToken(user) === cookieValue) {
} localStorage.setItem(localStorageKeys.USERNAME, user.user);
} return true;
} } else return false;
});
return userAuthenticated;
} else return false;
} else return false;
}); });
return userAuthenticated; return userAuthenticated;
}; };
@ -159,10 +161,10 @@ export const getCurrentUser = () => {
* Checks if the user is viewing the dashboard as a guest * Checks if the user is viewing the dashboard as a guest
* Returns true if guest mode enabled, and user not logged in * Returns true if guest mode enabled, and user not logged in
* */ * */
export const isLoggedInAsGuest = () => { export const isLoggedInAsGuest = (currentUser) => {
const guestEnabled = isGuestAccessEnabled(); const guestEnabled = isGuestAccessEnabled();
const notLoggedIn = !isLoggedIn(); const loggedIn = isLoggedIn() && currentUser;
return guestEnabled && notLoggedIn; return guestEnabled && !loggedIn;
}; };
/** /**

5
src/utils/CheckItemVisibility.js
View File

@ -5,15 +5,14 @@
*/ */
// Import helper functions from auth, to get current user, and check if guest // Import helper functions from auth, to get current user, and check if guest
import { getCurrentUser, isLoggedInAsGuest } from '@/utils/Auth'; import { getCurrentUser } from '@/utils/Auth';
import { isVisibleToUser } from '@/utils/IsVisibleToUser'; import { isVisibleToUser } from '@/utils/IsVisibleToUser';
/* Putting it all together, the function to export */ /* Putting it all together, the function to export */
export const checkItemVisibility = (item) => { export const checkItemVisibility = (item) => {
const currentUser = getCurrentUser(); // Get current user object const currentUser = getCurrentUser(); // Get current user object
const isGuest = isLoggedInAsGuest(); // Check if current user is a guest
const displayData = item.displayData || {}; const displayData = item.displayData || {};
return isVisibleToUser(displayData, currentUser, isGuest); return isVisibleToUser(displayData, currentUser);
}; };
export default checkItemVisibility; export default checkItemVisibility;

5
src/utils/CheckSectionVisibility.js
View File

@ -5,16 +5,15 @@
*/ */
// Import helper functions from auth, to get current user, and check if guest // Import helper functions from auth, to get current user, and check if guest
import { getCurrentUser, isLoggedInAsGuest } from '@/utils/Auth'; import { getCurrentUser } from '@/utils/Auth';
import { isVisibleToUser } from '@/utils/IsVisibleToUser'; import { isVisibleToUser } from '@/utils/IsVisibleToUser';
/* Putting it all together, the function to export */ /* Putting it all together, the function to export */
export const checkSectionVisibility = (sections) => { export const checkSectionVisibility = (sections) => {
const currentUser = getCurrentUser(); // Get current user object const currentUser = getCurrentUser(); // Get current user object
const isGuest = isLoggedInAsGuest(); // Check if current user is a guest
return sections.filter((currentSection) => { return sections.filter((currentSection) => {
const displayData = currentSection.displayData || {}; const displayData = currentSection.displayData || {};
return isVisibleToUser(displayData, currentUser, isGuest); return isVisibleToUser(displayData, currentUser);
}); });
}; };

5
src/utils/IsVisibleToUser.js
View File

@ -6,6 +6,7 @@
// Import helper functions from auth, to get current user, and check if guest // Import helper functions from auth, to get current user, and check if guest
import { localStorageKeys } from '@/utils/defaults'; import { localStorageKeys } from '@/utils/defaults';
import { isLoggedInAsGuest } from '@/utils/Auth';
/* Helper function, checks if a given testValue is found in the visibility list */ /* Helper function, checks if a given testValue is found in the visibility list */
const determineVisibility = (visibilityList, testValue) => { const determineVisibility = (visibilityList, testValue) => {
@ -25,7 +26,9 @@ const determineIntersection = (source = [], target = []) => {
/* Returns false if the displayData of a section/item /* Returns false if the displayData of a section/item
should not be rendered for the current user/ guest */ should not be rendered for the current user/ guest */
export const isVisibleToUser = (displayData, currentUser, isGuest) => { export const isVisibleToUser = (displayData, currentUser) => {
const isGuest = isLoggedInAsGuest(currentUser); // Check if current user is a guest
// Checks if user explicitly has access to a certain section // Checks if user explicitly has access to a certain section
const checkVisibility = () => { const checkVisibility = () => {
if (!currentUser) return true; if (!currentUser) return true;