🔀 Merge pull request #113 from Lissy93/FIX/auth-security-fix

[SECURITY] Improve Robustness of Auth Checking

.github/CHANGELOG.md

@@ -1,6 +1,11 @@
 # Changelog
 
-## ✨ 1.4.8 - Optional Crash Reports [PR #120](https://github.com/Lissy93/dashy/pull/112)
+## 🔒 1.5.0 - Improve Robustness of Auth [PR #113](https://github.com/Lissy93/dashy/pull/113)
+- Use both username + password for generating token, so that a change in either will log the user out
+- Prevent privilege escalation by disallowing a user from modifying their user type through the UI
+- Improve the isAuthenticated check, by taking account of empty users array 
+
+## ✨ 1.4.8 - Optional Crash Reports [PR #112](https://github.com/Lissy93/dashy/pull/112)
 - Adds an optional, off by default method of getting crash reports
 - This can be enabled in `appConfig.enableErrorReporting`, and will not be used at all unless explicitly activated by user
 - This is needed for when a user raises a bug which is hard to fix

package.json

@@ -1,6 +1,6 @@
 {
   "name": "Dashy",
-  "version": "1.4.8",
+  "version": "1.5.0",
   "license": "MIT",
   "main": "server",
   "scripts": {

src/components/Configuration/JsonEditor.vue

@@ -146,6 +146,7 @@ export default {
         localStorage.setItem(localStorageKeys.PAGE_INFO, JSON.stringify(data.pageInfo));
       }
       if (data.appConfig) {
+        data.appConfig.auth = this.config.appConfig.auth || [];
         localStorage.setItem(localStorageKeys.APP_CONFIG, JSON.stringify(data.appConfig));
       }
       if (data.appConfig.theme) {

src/router.js

@@ -11,9 +11,14 @@ import { metaTagData } from '@/utils/defaults';
 
 Vue.use(Router);
 
+/**
+ * Checks if the current user is either authenticated,
+ * or if authentication is not enabled
+ * @returns true if user logged in, or user management not enabled
+ */
 const isAuthenticated = () => {
   const users = config.appConfig.auth;
-  return (!users || isLoggedIn(users));
+  return (!users || users.length === 0 || isLoggedIn(users));
 };
 
 const router = new Router({

src/utils/Auth.js

@@ -6,7 +6,11 @@ import { cookieKeys, localStorageKeys } from './defaults';
  * @param {String} user The username of user
  * @returns {String} The hashed token
  */
-const generateUserToken = (user) => sha256(user.toString()).toString().toLowerCase();
+const generateUserToken = (user) => {
+  const strAndUpper = (input) => input.toString().toUpperCase();
+  const sha = sha256(strAndUpper(user.user) + strAndUpper(user.hash));
+  return strAndUpper(sha);
+};
 
 /**
  * Checks if the user is currently authenticated
@@ -47,7 +51,7 @@ export const checkCredentials = (username, pass, users) => {
     response = { correct: false, msg: 'Missing Password' };
   } else {
     users.forEach((user) => {
-      if (user.user === username) {
+      if (user.user.toLowerCase() === username.toLowerCase()) {
         if (user.hash.toLowerCase() === sha256(pass).toString().toLowerCase()) {
           response = { correct: true, msg: 'Logging in...' };
         } else {