fyindr
/
siimee
Bevaka 4
Stjärnmärk 3
Förgrening 1
Kod Pull-förfrågningar 1 Släpp 4 Wiki Aktiviteter
Bläddra i källkod

:memo: Made notes on needed security fix and ux edge case

tags/0.0.3^2
tomit4 2 år sedan
förälder
e7c13686bc
incheckning
be07c9c76f
5 ändrade filer med 11 tillägg och 0 borttagningar
Unifierad Vy Visa Diff Statistik
  1. 3
    0
      backend/lib/services/user.js
  2. 1
    0
      frontend/src/components/onboarding/Auth.vue
  3. 1
    0
      frontend/src/services/auth.service.js
  4. 3
    0
      frontend/src/views/OnboardingView.vue
  5. 3
    0
      frontend/src/views/VerifyView.vue

+ 3
- 0
backend/lib/services/user.js Visa fil

325 
         const duration = 1000 * 60 * 10
 325 
         const duration = 1000 * 60 * 10
326
326
327 
         this.hashedEmails[hashedEmail] = Date.now() + duration
 327 
         this.hashedEmails[hashedEmail] = Date.now() + duration
328 
+        // TODO: See FrontEnd in Auth.vue and VerifyView.vue notes:
329 
+        // if user closes browser, they'll need to be issued first session token based off of this:
330 
+        // this.hashedEmails[hashedEmail][email] = userEmail
328 
         const sendSmtpEmail = {
 331 
         const sendSmtpEmail = {
329 
             to: [
 332 
             to: [
330 
                 {
 333 
                 {

+ 1
- 0
frontend/src/components/onboarding/Auth.vue Visa fil

51 
             const sessionToken = await this.getSessionToken({
 51 
             const sessionToken = await this.getSessionToken({
52 
                 ...this.answered,
 52 
                 ...this.answered,
53 
             })
 53 
             })
54 
+            // TODO: Flawed thinking, what if user closes browser and answers email later??
54 
             document.cookie = `siimee_session=${sessionToken}; max-age=600; path=/; secure`
 55 
             document.cookie = `siimee_session=${sessionToken}; max-age=600; path=/; secure`
55 
             await this.authenticator.sendAuthEmail(this.answered)
 56 
             await this.authenticator.sendAuthEmail(this.answered)
56 
         } catch (err) {
 57 
         } catch (err) {

+ 1
- 0
frontend/src/services/auth.service.js Visa fil

21 
     async getAccessToken(req) {
 21 
     async getAccessToken(req) {
22 
         return await db.post('/user/getaccess', req, true)
 22 
         return await db.post('/user/getaccess', req, true)
23 
     }
 23 
     }
24 
+    // TODO: Possible Security issue, returned .payload has user email in plain text...
24 
     async validateSession(token) {
 25 
     async validateSession(token) {
25 
         return await db.get('/user/validatesession', token)
 26 
         return await db.get('/user/validatesession', token)
26 
     }
 27 
     }

+ 3
- 0
frontend/src/views/OnboardingView.vue Visa fil

107 
                 cookieKey in cookies ? cookies[`${cookieKey}`] : undefined
 107 
                 cookieKey in cookies ? cookies[`${cookieKey}`] : undefined
108 
             return cookieVal
 108 
             return cookieVal
109 
         },
 109 
         },
110 
+        // TODO: Possible Security issue, returned .payload has user email in plain text...
110 
         async verifyBothTokens() {
 111 
         async verifyBothTokens() {
111 
             const sessionTokenIsValid = await this.verifySessionToken(
 112 
             const sessionTokenIsValid = await this.verifySessionToken(
112 
                 sessionToken,
 113 
                 sessionToken,
235 
                 this.responses.push(response)
 236 
                 this.responses.push(response)
236 
                 if (k === 'aspects') return
 237 
                 if (k === 'aspects') return
237 
             }
 238 
             }
239 
+            // if user as finished minimum profile creation,
240 
+            // Adds survey answers to responses table and verifies tokens on each step
238 
             if (currentProfileId) {
 241 
             if (currentProfileId) {
239 
                 // TODO: Still have to authenticate this route
 242 
                 // TODO: Still have to authenticate this route
240 
                 await surveyFactory.addNewSurveyAnswer(
 243 
                 await surveyFactory.addNewSurveyAnswer(

+ 3
- 0
frontend/src/views/VerifyView.vue Visa fil

56 
             )
 56 
             )
57 
             if (!hashesMatch) throw new Error('Hash is not in registry!')
 57 
             if (!hashesMatch) throw new Error('Hash is not in registry!')
58 
         },
 58 
         },
59 
+        // TODO: Flawed thinking, what if user closed browser and then answered email?
60 
+        // session token won't exist, it will need to be generated here using the hashEmail, problem is:
61 
+        // hashEmail cannot access
59 
         async doesSessionTokenExist(sessionToken) {
 62 
         async doesSessionTokenExist(sessionToken) {
60 
             if (!sessionToken)
 63 
             if (!sessionToken)
61 
                 throw new Error('sessionToken not in cookie store!')
 64 
                 throw new Error('sessionToken not in cookie store!')

Write Förhandsgranska
Laddar…
Avbryt
Spara