Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require user logged in for POSTing confirm endpoint #228

Merged
merged 3 commits into from
Jul 25, 2018
Merged

Require user logged in for POSTing confirm endpoint #228

merged 3 commits into from
Jul 25, 2018

Conversation

ehsanmasdar
Copy link
Member

No description provided.

@hackgbot
Copy link

Hey y'all! A deployment of this PR can be found here:
https://registration-auth-fix.pr.hack.gt

petschekr
petschekr requested changes Jul 20, 2018
View reviewed changes
Copy link
Member

@petschekr petschekr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second glance...

server/routes/auth.ts Outdated
@@ -70,7 +70,7 @@ export async function reloadAuthentication() {
}

// These routes need to be redefined on every instance of a new router
router.post("/confirm", validateAndCacheHostName, postParser, async (request, response) => {
router.post("/confirm", authenticateWithReject, validateAndCacheHostName, postParser, async (request, response) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this middleware is using !request.user.verifiedEmail || !request.user.accountConfirmed to check if a user is valid, a confirming user will always be rejected.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, switched to explicitly validating

petschekr
petschekr approved these changes Jul 21, 2018
View reviewed changes
Copy link
Member

@petschekr petschekr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now. Good catch

@ehsanmasdar ehsanmasdar merged commit 2e11c01 into master Jul 25, 2018
@ehsanmasdar ehsanmasdar deleted the auth-fix branch July 25, 2018 07:14
rahulrajus pushed a commit that referenced this pull request Jul 22, 2021
@ehsanmasdar
Require user logged in for POSTing confirm endpoint (#228)
68f5faa 
* Require user logged in for POSTing confirm endpoint

* Don't use middleware to validate user

* Version bump
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petschekr petschekr petschekr approved these changes

@kexin-zhang kexin-zhang Awaiting requested review from kexin-zhang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ehsanmasdar @hackgbot @petschekr