Split middleware into two different components #1174
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…em so that we prevent our system from replay attacks
…ed to our previous version that uses in memory storage
… captcha verification system now works on both login and sign int
Co-authored-by: Eric Dubé <[email protected]>
Co-authored-by: Eric Dubé <[email protected]>
…s to control wether a captcha should be required, I fixed the code in CaptchaModule to use config and got rid of the lines that made captcha middleware available since it wasn't used anywhre
…can now determine captach requirements. PuterHomePageService can set GUI parameters for captcha requirements. The /whoarewe endpoint provides captcha requirement information and the extensuo system integration is maintained
.gitignore
Outdated
| # Language Server Protocol cache | ||
| .lsp/ | ||
| .lsp/.cache/ | ||
| .lsp/.cache/db.transit.json |
There was a problem hiding this comment.
These lines belong in the global .gitignore on your local machine, not in our repo
.gitignore
Outdated
| # clj-kondo cache | ||
| .clj-kondo/ | ||
| .clj-kondo/.cache/ | ||
| .clj-kondo/.cache/v1/lock |
There was a problem hiding this comment.
(same as previous comment)
src/backend/src/routers/whoarewe.js
Outdated
| * This allows the frontend to know in advance whether to display captcha | ||
| * elements without needing to make a request and get a rejection first. | ||
| */ | ||
| const WHOAREWE_GET = eggspress('/whoarewe', { |
There was a problem hiding this comment.
We already have /whoarewe implemented in PuterHomepageService, so adding another endpoint with the same name will break detection of whether or not user signup is disabled. This behavior should be moved to the endpoint in PuterHomepageService.
|
I tried to manually test this and I ran into a few issues. The first one seems to be some missing changes; if you did manual testing than I assume you made these changes and didn't commit them or accidentally stashed them. Here's the error message I got: These were the changes that fixed it: diff --git a/src/backend/src/routers/login.js b/src/backend/src/routers/login.js
index 85c51551..60722eb9 100644
--- a/src/backend/src/routers/login.js
+++ b/src/backend/src/routers/login.js
@@ -22,7 +22,7 @@ const router = new express.Router();
const { get_user, body_parser_error_handler } = require('../helpers');
const config = require('../config');
const { DB_WRITE } = require('../services/database/consts');
-const requireCaptcha = require('../modules/captcha/middleware/captcha-middleware');
+const { requireCaptcha } = require('../modules/captcha/middleware/captcha-middleware');
const complete_ = async ({ req, res, user }) => {
diff --git a/src/backend/src/routers/signup.js b/src/backend/src/routers/signup.js
index 49050389..d94f5f16 100644
--- a/src/backend/src/routers/signup.js
+++ b/src/backend/src/routers/signup.js
@@ -25,7 +25,7 @@ const { DB_WRITE } = require('../services/database/consts');
const { generate_identifier } = require('../util/identifier');
const { is_temp_users_disabled: lazy_temp_users,
is_user_signup_disabled: lazy_user_signup } = require("../helpers")
-const requireCaptcha = require('../modules/captcha/middleware/captcha-middleware');
+const { requireCaptcha } = require('../modules/captcha/middleware/captcha-middleware');
async function generate_random_username () {
let username;The next is a security issue. With these changes, logging in now puts the users password in the querystring portion of the URL. That must be fixed before this is merged. |
|
I went ahead and fixed the security issue where the logging flow was putting the users password in the URL, I updated the imports you told me about, the captcha verification system now uses the correct whoarewe and I removed the other one. |
|
Thanks! I just tested it out and it's working great. There are two things that I didn't realize before that we need to update as well, and then it should be ready to merge.
I recorded manual testing on video in case that's a helpful reference. pr1174_1.5x.mp4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I split the middleware into two distinct parts, so that the frontend can now determine captach requirements. PuterHomePageService can set GUI parameters for captcha requirements. The /whoarewe endpoint provides captcha requirement information and the extensuo system integration is maintained