StyAndCo/zappyzep
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix some redirect vulnerabilities
All checks were successful
Code quality checks / build (23) (push) Successful in 34s
Details
Push code / build (push) Successful in 52s
Details

Browse source
This commit is contained in:
Lara 2024-11-02 22:46:23 +02:00
parent abea7b3e47
commit f4c6690f1f
Signed by: laratheprotogen
GPG key ID: 5C0296EB3165F98B
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
backend/src/api/auth.ts
View file

@ -114,7 +114,7 @@ export function initAuth(router: express.Router) {
router.get(
"/auth/new-login",
(req: Request, res: Response, next: NextFunction) => {
res.cookie("redir", `${env.DASHBOARD_URL}/new/login-callback/`, { httpOnly: true });
res.cookie("redir", `/new/login-callback/`, { httpOnly: true });
next();
},
@ -128,13 +128,13 @@ export function initAuth(router: express.Router) {
if (req.user && req.user.apiKey) {
res.redirect(
req.cookies.redir
? `${req.cookies.redir.toString()}?apiKey=${req.user.apiKey}`
? `${env.DASHBOARD_URL}${req.cookies.redir.toString()}?apiKey=${req.user.apiKey}`
: `${env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`,
);
} else {
res.redirect(
req.cookies.redir
? `${req.cookies.redir.toString()}?error=noAccess`
? `${env.DASHBOARD_URL}${req.cookies.redir.toString()}?error=noAccess`
: `${env.DASHBOARD_URL}/login-callback/?error=noAccess`,
);
}