fix(middleware): critical security loophole

ensure that not logged in users can't access restricted stories via the api or regular pages
2024-11-12 16:42:51 -05:00 · 2024-11-12 16:42:51 -05:00 · e5af6fd827
commit e5af6fd827
parent b2c99726bc
2 changed files with 6 additions and 0 deletions
--- a/lib/client/middleware.ts
+++ b/lib/client/middleware.ts
@ -14,6 +14,9 @@ export const storyMiddleware = defineNuxtRouteMiddleware(async (to, from) => {
 	console.log("to n from", to, from, data);
 	const { data: story, error } = await useApiFetch<SingleChapterResult>(to.path);
 	if (error.value) {
+		if (error.value.message.toLocaleLowerCase() == "unauthenticated") {
+			return navigateTo("/auth/login");
+		}
 		return showError(error.value);
 	} else if (!story.value) {
 		return showError({ statusCode: 404, message: messages[404] });
--- a/lib/server/middlewareButNotReally/index.ts
+++ b/lib/server/middlewareButNotReally/index.ts
@ -47,6 +47,9 @@ export async function storyCheck(event: H3Event<EventHandlerRequest>, story: ISt
 	} else if (story.chapters[idx]?.hidden && event.context.currentUser?._id !== (story.author as IUser)._id && !event.context.currentUser?.profile.isAdmin) {
 		ret.statusCode = 403;
 		ret.message = messages[403];
+	} else if (story.chapters[idx]?.loggedInOnly && !event.context.currentUser) {
+		ret.statusCode = 403;
+		ret.message = messages[403];
 	}
 	return !!Object.keys(ret).length ? ret : null;
 }