System-End/site
1
0
Fork 0
mirror of https://github.com/System-End/site.git synced 2026-04-19 18:35:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1335 from kcoderhtml/token-fix

Browse source 
bug: stop empty token bypass
This commit is contained in:
Max Wofford 2024-08-22 05:50:07 +00:00 committed by GitHub
commit 5abf040437
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 17 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
pages/api/arcade/showcase/login/[token].js
View file

@ -1,21 +1,17 @@
import AirtablePlus from "airtable-plus"
import AirtablePlus from 'airtable-plus'
const airtable = new AirtablePlus({
apiKey: process.env.AIRTABLE_API_KEY,
baseID: 'app4kCWulfB02bV8Q',
tableName: "Users"
tableName: 'Users'
})
async function getUserFromLogin(loginToken) {
// only alphanumeric & '-' characters are allowed in the token
const safeLoginToken = loginToken.replace(/[^a-zA-Z0-9-]/g, '')
const results = await airtable.read({
filterByFormula: `{Login Token} = '${safeLoginToken}'`,
maxRecords: 1
})
return results[0]
}
@ -28,26 +24,34 @@ async function scrubLoginToken(userID) {
export default async function handler(req, res) {
if (req.method !== 'POST') {
return res.status(405).json({ error: "Method not allowed" })
return res.status(405).json({ error: 'Method not allowed' })
}
const { token } = req.query
if (!token) {
return res.status(400).json({ error: "Token is required" })
return res.status(400).json({ error: 'Token is required' })
}
const user = await getUserFromLogin(token)
// only alphanumeric & '-' characters are allowed in the token
const safeLoginToken = token.replace(/[^a-zA-Z0-9-]/g, '')
if (safeLoginToken === '') {
return res
.status(400)
.json({ error: 'hey! no injection attacks thats mean' })
}
const user = await getUserFromLogin(safeLoginToken)
if (!user) {
return res.status(404).json({ error: "User not found" })
return res.status(404).json({ error: 'User not found' })
}
const authToken = user.fields['Auth Token']
if (!authToken) {
return res.status(500).json({ error: "Auth Token not found" })
return res.status(500).json({ error: 'Auth Token not found' })
}
await scrubLoginToken(user.id)
// return back the user's AuthToken
res.status(200).json({ authToken })
}
}