From e5af6fd827ea91bd10c37e99ba10ff5cdfa1c688 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?=
 =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= <i.am.the.tablet@proton.me>
Date: Tue, 12 Nov 2024 16:42:51 -0500
Subject: [PATCH] fix(middleware): critical security loophole

ensure that not logged in users can't access restricted stories via the api or regular pages
---
 lib/client/middleware.ts                   | 3 +++
 lib/server/middlewareButNotReally/index.ts | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/lib/client/middleware.ts b/lib/client/middleware.ts
index c93adab..23801e0 100644
--- a/lib/client/middleware.ts
+++ b/lib/client/middleware.ts
@@ -14,6 +14,9 @@ export const storyMiddleware = defineNuxtRouteMiddleware(async (to, from) => {
 	console.log("to n from", to, from, data);
 	const { data: story, error } = await useApiFetch<SingleChapterResult>(to.path);
 	if (error.value) {
+		if (error.value.message.toLocaleLowerCase() == "unauthenticated") {
+			return navigateTo("/auth/login");
+		}
 		return showError(error.value);
 	} else if (!story.value) {
 		return showError({ statusCode: 404, message: messages[404] });
diff --git a/lib/server/middlewareButNotReally/index.ts b/lib/server/middlewareButNotReally/index.ts
index 832c8fc..0dfa23e 100644
--- a/lib/server/middlewareButNotReally/index.ts
+++ b/lib/server/middlewareButNotReally/index.ts
@@ -47,6 +47,9 @@ export async function storyCheck(event: H3Event<EventHandlerRequest>, story: ISt
 	} else if (story.chapters[idx]?.hidden && event.context.currentUser?._id !== (story.author as IUser)._id && !event.context.currentUser?.profile.isAdmin) {
 		ret.statusCode = 403;
 		ret.message = messages[403];
+	} else if (story.chapters[idx]?.loggedInOnly && !event.context.currentUser) {
+		ret.statusCode = 403;
+		ret.message = messages[403];
 	}
 	return !!Object.keys(ret).length ? ret : null;
 }