Merge pull request #16 from noremacsim/1.1.0/bug/Fix_Vulnraility_errors

Issue: 14 - Fix xss

App/middleware/auth.js

@@ -7,6 +7,7 @@ const {
     Group,
     TwoFactorAuthentication,
 } = require(path.join(__dirname, '../../Core/models/'));
+const {CustomRoutes} = require("../../Core");
 
 dotenv.config();
 
@@ -36,19 +37,26 @@ async function middle(request, h) {
             include: User,
         });
 
+        let requestedPath = '/';
+        const checkRequestedPath = obj => obj.path === request?.route?.path;
+
+        if (CustomRoutes.some(checkRequestedPath)) {
+            requestedPath = request?.route?.path;
+        }
+
         if (!authToken) {
             h.unstate('jwt');
             h.unstate('isLoggedIn');
             h.unstate('twoFAPassed');
-            return h.redirect(`/user/login?path=${request?.route?.path}`);
+            return h.redirect(`/user/login?path=${requestedPath}`);
         }
 
         if (authToken.User.TwoFAEnabled && !authToken.TwoFactorPassed) {
             h.state('twoFAPassed', false);
             h.state('isLoggedIn', true);
             request.user = {};
             request.user.id = authToken.User.id;
-            return h.redirect(`/user/login?path=${request?.route?.path}`);
+            return h.redirect(`/user/login?path=${requestedPath}`);
         }
 
         const user = await User.findOne({

Core/driftyCore.js

@@ -10,10 +10,6 @@ const init = async (type) => {
     const corsHeaders = process.env.CORS_HEADERS.split(',');
     const corsAdditionalHeaders = process.env.CORS_ADDITIONALHEADERS.split(',');
 
-    const corsOrigin = process.env.CORS_ORIGIN.split(',');
-    const corsHeaders = process.env.CORS_HEADERS.split(',');
-    const corsAdditionalHeaders = process.env.CORS_ADDITIONALHEADERS.split(',');
-
     // Server Options
     let options = {
         port: PORT,