From 5a3fbe567268c9c5c755def3d62dfd5884dfea4a Mon Sep 17 00:00:00 2001 From: kristian Date: Sat, 10 Sep 2022 21:33:45 -0700 Subject: [PATCH 1/2] Set user in localStorage when matching auth token is found. When checking guest access, consider if a username is set. Fixes username local storage exploits. --- src/utils/Auth.js | 16 +++++++++------- src/utils/CheckItemVisibility.js | 5 ++--- src/utils/CheckSectionVisibility.js | 5 ++--- src/utils/IsVisibleToUser.js | 5 ++++- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/src/utils/Auth.js b/src/utils/Auth.js index 1b26b7bc..078fd303 100644 --- a/src/utils/Auth.js +++ b/src/utils/Auth.js @@ -54,16 +54,18 @@ const generateUserToken = (user) => { */ export const isLoggedIn = () => { const users = getUsers(); - const validTokens = users.map((user) => generateUserToken(user)); let userAuthenticated = false; document.cookie.split(';').forEach((cookie) => { if (cookie && cookie.split('=').length > 1) { const cookieKey = cookie.split('=')[0].trim(); const cookieValue = cookie.split('=')[1].trim(); if (cookieKey === cookieKeys.AUTH_TOKEN) { - if (validTokens.includes(cookieValue)) { - userAuthenticated = true; - } + users.forEach((user) => { + if (generateUserToken(user) === cookieValue) { + userAuthenticated = true; + localStorage.setItem(localStorageKeys.USERNAME, user.user); + } + }); } } }); @@ -159,10 +161,10 @@ export const getCurrentUser = () => { * Checks if the user is viewing the dashboard as a guest * Returns true if guest mode enabled, and user not logged in * */ -export const isLoggedInAsGuest = () => { +export const isLoggedInAsGuest = (currentUser) => { const guestEnabled = isGuestAccessEnabled(); - const notLoggedIn = !isLoggedIn(); - return guestEnabled && notLoggedIn; + const loggedIn = isLoggedIn() && currentUser; + return guestEnabled && !loggedIn; }; /** diff --git a/src/utils/CheckItemVisibility.js b/src/utils/CheckItemVisibility.js index ff2206e8..c467fbaf 100644 --- a/src/utils/CheckItemVisibility.js +++ b/src/utils/CheckItemVisibility.js @@ -5,15 +5,14 @@ */ // Import helper functions from auth, to get current user, and check if guest -import { getCurrentUser, isLoggedInAsGuest } from '@/utils/Auth'; +import { getCurrentUser } from '@/utils/Auth'; import { isVisibleToUser } from '@/utils/IsVisibleToUser'; /* Putting it all together, the function to export */ export const checkItemVisibility = (item) => { const currentUser = getCurrentUser(); // Get current user object - const isGuest = isLoggedInAsGuest(); // Check if current user is a guest const displayData = item.displayData || {}; - return isVisibleToUser(displayData, currentUser, isGuest); + return isVisibleToUser(displayData, currentUser); }; export default checkItemVisibility; diff --git a/src/utils/CheckSectionVisibility.js b/src/utils/CheckSectionVisibility.js index c549dea1..30e4dca7 100644 --- a/src/utils/CheckSectionVisibility.js +++ b/src/utils/CheckSectionVisibility.js @@ -5,16 +5,15 @@ */ // Import helper functions from auth, to get current user, and check if guest -import { getCurrentUser, isLoggedInAsGuest } from '@/utils/Auth'; +import { getCurrentUser } from '@/utils/Auth'; import { isVisibleToUser } from '@/utils/IsVisibleToUser'; /* Putting it all together, the function to export */ export const checkSectionVisibility = (sections) => { const currentUser = getCurrentUser(); // Get current user object - const isGuest = isLoggedInAsGuest(); // Check if current user is a guest return sections.filter((currentSection) => { const displayData = currentSection.displayData || {}; - return isVisibleToUser(displayData, currentUser, isGuest); + return isVisibleToUser(displayData, currentUser); }); }; diff --git a/src/utils/IsVisibleToUser.js b/src/utils/IsVisibleToUser.js index ea8343cf..fba48fa6 100644 --- a/src/utils/IsVisibleToUser.js +++ b/src/utils/IsVisibleToUser.js @@ -6,6 +6,7 @@ // Import helper functions from auth, to get current user, and check if guest import { localStorageKeys } from '@/utils/defaults'; +import { isLoggedInAsGuest } from '@/utils/Auth'; /* Helper function, checks if a given testValue is found in the visibility list */ const determineVisibility = (visibilityList, testValue) => { @@ -25,7 +26,9 @@ const determineIntersection = (source = [], target = []) => { /* Returns false if the displayData of a section/item should not be rendered for the current user/ guest */ -export const isVisibleToUser = (displayData, currentUser, isGuest) => { +export const isVisibleToUser = (displayData, currentUser) => { + const isGuest = isLoggedInAsGuest(currentUser); // Check if current user is a guest + // Checks if user explicitly has access to a certain section const checkVisibility = () => { if (!currentUser) return true; From 46420d4f15f4589d6023bf93919c8b22ae9553cf Mon Sep 17 00:00:00 2001 From: kristian Date: Sat, 10 Sep 2022 22:04:17 -0700 Subject: [PATCH 2/2] Stop checking users once match is found. --- src/utils/Auth.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/utils/Auth.js b/src/utils/Auth.js index 078fd303..a57290bd 100644 --- a/src/utils/Auth.js +++ b/src/utils/Auth.js @@ -54,20 +54,20 @@ const generateUserToken = (user) => { */ export const isLoggedIn = () => { const users = getUsers(); - let userAuthenticated = false; - document.cookie.split(';').forEach((cookie) => { + let userAuthenticated = document.cookie.split(';').some((cookie) => { if (cookie && cookie.split('=').length > 1) { const cookieKey = cookie.split('=')[0].trim(); const cookieValue = cookie.split('=')[1].trim(); if (cookieKey === cookieKeys.AUTH_TOKEN) { - users.forEach((user) => { + userAuthenticated = users.some((user) => { if (generateUserToken(user) === cookieValue) { - userAuthenticated = true; localStorage.setItem(localStorageKeys.USERNAME, user.user); - } + return true; + } else return false; }); - } - } + return userAuthenticated; + } else return false; + } else return false; }); return userAuthenticated; };