fix(middleware): critical security loophole
ensure that not logged in users can't access restricted stories via the api or regular pages
This commit is contained in:
parent
b2c99726bc
commit
e5af6fd827
GPG Key ID:
924A5F6AF051E87C
@ -14,6 +14,9 @@ export const storyMiddleware = defineNuxtRouteMiddleware(async (to, from) => {
|
|||||||
console.log("to n from", to, from, data);
|
console.log("to n from", to, from, data);
|
||||||
const { data: story, error } = await useApiFetch<SingleChapterResult>(to.path);
|
const { data: story, error } = await useApiFetch<SingleChapterResult>(to.path);
|
||||||
if (error.value) {
|
if (error.value) {
|
||||||
|
if (error.value.message.toLocaleLowerCase() == "unauthenticated") {
|
||||||
|
return navigateTo("/auth/login");
|
||||||
|
}
|
||||||
return showError(error.value);
|
return showError(error.value);
|
||||||
} else if (!story.value) {
|
} else if (!story.value) {
|
||||||
return showError({ statusCode: 404, message: messages[404] });
|
return showError({ statusCode: 404, message: messages[404] });
|
||||||
|
|||||||
@ -47,6 +47,9 @@ export async function storyCheck(event: H3Event<EventHandlerRequest>, story: ISt
|
|||||||
} else if (story.chapters[idx]?.hidden && event.context.currentUser?._id !== (story.author as IUser)._id && !event.context.currentUser?.profile.isAdmin) {
|
} else if (story.chapters[idx]?.hidden && event.context.currentUser?._id !== (story.author as IUser)._id && !event.context.currentUser?.profile.isAdmin) {
|
||||||
ret.statusCode = 403;
|
ret.statusCode = 403;
|
||||||
ret.message = messages[403];
|
ret.message = messages[403];
|
||||||
|
} else if (story.chapters[idx]?.loggedInOnly && !event.context.currentUser) {
|
||||||
|
ret.statusCode = 403;
|
||||||
|
ret.message = messages[403];
|
||||||
}
|
}
|
||||||
return !!Object.keys(ret).length ? ret : null;
|
return !!Object.keys(ret).length ? ret : null;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user