🔀 Merge pull request #113 from Lissy93/FIX/auth-security-fix

[SECURITY] Improve Robustness of Auth Checking
2021-08-01 15:42:38 +01:00 · 2021-08-01 15:42:38 +01:00 · fe48310fcd
parent 01e4c0f225 87f6438b89
commit fe48310fcd
5 changed files with 20 additions and 5 deletions
--- a/.github/CHANGELOG.md
+++ b/.github/CHANGELOG.md
@ -1,6 +1,11 @@
 # Changelog

-## ✨ 1.4.8 - Optional Crash Reports [PR #120](https://github.com/Lissy93/dashy/pull/112)
+## 🔒 1.5.0 - Improve Robustness of Auth [PR #113](https://github.com/Lissy93/dashy/pull/113)
+- Use both username + password for generating token, so that a change in either will log the user out
+- Prevent privilege escalation by disallowing a user from modifying their user type through the UI
+- Improve the isAuthenticated check, by taking account of empty users array 
+
+## ✨ 1.4.8 - Optional Crash Reports [PR #112](https://github.com/Lissy93/dashy/pull/112)
 - Adds an optional, off by default method of getting crash reports
 - This can be enabled in `appConfig.enableErrorReporting`, and will not be used at all unless explicitly activated by user
 - This is needed for when a user raises a bug which is hard to fix
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "Dashy",
-  "version": "1.4.8",
+  "version": "1.5.0",
  "license": "MIT",
  "main": "server",
  "scripts": {
--- a/src/components/Configuration/JsonEditor.vue
+++ b/src/components/Configuration/JsonEditor.vue
@ -146,6 +146,7 @@ export default {
        localStorage.setItem(localStorageKeys.PAGE_INFO, JSON.stringify(data.pageInfo));
      }
      if (data.appConfig) {
+        data.appConfig.auth = this.config.appConfig.auth || [];
        localStorage.setItem(localStorageKeys.APP_CONFIG, JSON.stringify(data.appConfig));
      }
      if (data.appConfig.theme) {
--- a/src/router.js
+++ b/src/router.js
@ -11,9 +11,14 @@ import { metaTagData } from '@/utils/defaults';

 Vue.use(Router);

+/**
+ * Checks if the current user is either authenticated,
+ * or if authentication is not enabled
+ * @returns true if user logged in, or user management not enabled
+ */
 const isAuthenticated = () => {
  const users = config.appConfig.auth;
-  return (!users || isLoggedIn(users));
+  return (!users || users.length === 0 || isLoggedIn(users));
 };

 const router = new Router({
--- a/src/utils/Auth.js
+++ b/src/utils/Auth.js
@ -6,7 +6,11 @@ import { cookieKeys, localStorageKeys } from './defaults';
 * @param {String} user The username of user
 * @returns {String} The hashed token
 */
-const generateUserToken = (user) => sha256(user.toString()).toString().toLowerCase();
+const generateUserToken = (user) => {
+  const strAndUpper = (input) => input.toString().toUpperCase();
+  const sha = sha256(strAndUpper(user.user) + strAndUpper(user.hash));
+  return strAndUpper(sha);
+};

 /**
 * Checks if the user is currently authenticated
@ -47,7 +51,7 @@ export const checkCredentials = (username, pass, users) => {
    response = { correct: false, msg: 'Missing Password' };
  } else {
    users.forEach((user) => {
-      if (user.user === username) {
+      if (user.user.toLowerCase() === username.toLowerCase()) {
        if (user.hash.toLowerCase() === sha256(pass).toString().toLowerCase()) {
          response = { correct: true, msg: 'Logging in...' };
        } else {