From 57f17a17fc2bb4c7f40ac386bbd4a10a4cf24a4b Mon Sep 17 00:00:00 2001 From: noremacsim Date: Tue, 29 Nov 2022 14:10:29 +0000 Subject: [PATCH] Issue: 14 - Fix xss --- App/middleware/auth.js | 12 ++++++++++-- Core/driftyCore.js | 4 ---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/App/middleware/auth.js b/App/middleware/auth.js index 1a20f42..2f708bd 100755 --- a/App/middleware/auth.js +++ b/App/middleware/auth.js @@ -7,6 +7,7 @@ const { Group, TwoFactorAuthentication, } = require(path.join(__dirname, '../../Core/models/')); +const {CustomRoutes} = require("../../Core"); dotenv.config(); @@ -36,11 +37,18 @@ async function middle(request, h) { include: User, }); + let requestedPath = '/'; + const checkRequestedPath = obj => obj.path === request?.route?.path; + + if (CustomRoutes.some(checkRequestedPath)) { + requestedPath = request?.route?.path; + } + if (!authToken) { h.unstate('jwt'); h.unstate('isLoggedIn'); h.unstate('twoFAPassed'); - return h.redirect(`/user/login?path=${request?.route?.path}`); + return h.redirect(`/user/login?path=${requestedPath}`); } if (authToken.User.TwoFAEnabled && !authToken.TwoFactorPassed) { @@ -48,7 +56,7 @@ async function middle(request, h) { h.state('isLoggedIn', true); request.user = {}; request.user.id = authToken.User.id; - return h.redirect(`/user/login?path=${request?.route?.path}`); + return h.redirect(`/user/login?path=${requestedPath}`); } const user = await User.findOne({ diff --git a/Core/driftyCore.js b/Core/driftyCore.js index 2c6cedd..e37a9f8 100644 --- a/Core/driftyCore.js +++ b/Core/driftyCore.js @@ -10,10 +10,6 @@ const init = async (type) => { const corsHeaders = process.env.CORS_HEADERS.split(','); const corsAdditionalHeaders = process.env.CORS_ADDITIONALHEADERS.split(','); - const corsOrigin = process.env.CORS_ORIGIN.split(','); - const corsHeaders = process.env.CORS_HEADERS.split(','); - const corsAdditionalHeaders = process.env.CORS_ADDITIONALHEADERS.split(','); - // Server Options let options = { port: PORT,