fyindr
/
siimee
Obserwuj 4
Gwiazdka 3
Forkuj 1
Kod Pull Requests 1 Wydania 4 Wiki Aktywność
Przeglądaj źródła

:memo: Made notes on needed security fix and ux edge case

tags/0.0.3^2
tomit4 2 lat temu
rodzic
e7c13686bc
commit
be07c9c76f
5 zmienionych plików z 11 dodań i 0 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 3
    0
      backend/lib/services/user.js
  2. 1
    0
      frontend/src/components/onboarding/Auth.vue
  3. 1
    0
      frontend/src/services/auth.service.js
  4. 3
    0
      frontend/src/views/OnboardingView.vue
  5. 3
    0
      frontend/src/views/VerifyView.vue

+ 3
- 0
backend/lib/services/user.js Wyświetl plik 

@@ -325,6 +325,9 @@ module.exports = class UserService extends Schmervice.Service {
325 325 
         const duration = 1000 * 60 * 10
326 326
327 327 
         this.hashedEmails[hashedEmail] = Date.now() + duration
328 
+        // TODO: See FrontEnd in Auth.vue and VerifyView.vue notes:
329 
+        // if user closes browser, they'll need to be issued first session token based off of this:
330 
+        // this.hashedEmails[hashedEmail][email] = userEmail
328 331 
         const sendSmtpEmail = {
329 332 
             to: [
330 333 
                 {

+ 1
- 0
frontend/src/components/onboarding/Auth.vue Wyświetl plik 

@@ -51,6 +51,7 @@ export default {
51 51 
             const sessionToken = await this.getSessionToken({
52 52 
                 ...this.answered,
53 53 
             })
54 
+            // TODO: Flawed thinking, what if user closes browser and answers email later??
54 55 
             document.cookie = `siimee_session=${sessionToken}; max-age=600; path=/; secure`
55 56 
             await this.authenticator.sendAuthEmail(this.answered)
56 57 
         } catch (err) {

+ 1
- 0
frontend/src/services/auth.service.js Wyświetl plik 

@@ -21,6 +21,7 @@ class Authenticator {
21 21 
     async getAccessToken(req) {
22 22 
         return await db.post('/user/getaccess', req, true)
23 23 
     }
24 
+    // TODO: Possible Security issue, returned .payload has user email in plain text...
24 25 
     async validateSession(token) {
25 26 
         return await db.get('/user/validatesession', token)
26 27 
     }

+ 3
- 0
frontend/src/views/OnboardingView.vue Wyświetl plik 

@@ -107,6 +107,7 @@ export default {
107 107 
                 cookieKey in cookies ? cookies[`${cookieKey}`] : undefined
108 108 
             return cookieVal
109 109 
         },
110 
+        // TODO: Possible Security issue, returned .payload has user email in plain text...
110 111 
         async verifyBothTokens() {
111 112 
             const sessionTokenIsValid = await this.verifySessionToken(
112 113 
                 sessionToken,
 
@@ -235,6 +236,8 @@ export default {
235 236 
                 this.responses.push(response)
236 237 
                 if (k === 'aspects') return
237 238 
             }
239 
+            // if user as finished minimum profile creation,
240 
+            // Adds survey answers to responses table and verifies tokens on each step
238 241 
             if (currentProfileId) {
239 242 
                 // TODO: Still have to authenticate this route
240 243 
                 await surveyFactory.addNewSurveyAnswer(

+ 3
- 0
frontend/src/views/VerifyView.vue Wyświetl plik 

@@ -56,6 +56,9 @@ export default {
56 56 
             )
57 57 
             if (!hashesMatch) throw new Error('Hash is not in registry!')
58 58 
         },
59 
+        // TODO: Flawed thinking, what if user closed browser and then answered email?
60 
+        // session token won't exist, it will need to be generated here using the hashEmail, problem is:
61 
+        // hashEmail cannot access
59 62 
         async doesSessionTokenExist(sessionToken) {
60 63 
             if (!sessionToken)
61 64 
                 throw new Error('sessionToken not in cookie store!')

Napisz Podgląd
Ładowanie…
Anuluj
Zapisz