gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix(api): update routes for authorization bypass (#38387)

Browse Source
This commit is contained in:
mrugesh
2020-03-18 22:35:42 +05:30
committed by GitHub
parent 802f9f68ba
commit 6f90efb20c
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api-server/server/middlewares/request-authorization.js
View File

@ -12,21 +12,29 @@ import { jwtSecret as _jwtSecret } from '../../../config/secrets';
import { wrapHandledError } from '../utils/create-handled-error'; import { wrapHandledError } from '../utils/create-handled-error';
const authRE = /^\/auth\//; const authRE = /^\/auth\//;
const confirmEmailRE = /^\/confirm-email$/;
const newsShortLinksRE = /^\/n\/|^\/p\//; const newsShortLinksRE = /^\/n\/|^\/p\//;
const publicUserRE = /^\/api\/users\/get-public-profile$/;
const publicUsernameRE = /^\/api\/users\/exists$/;
const resubscribeRE = /^\/resubscribe\//; const resubscribeRE = /^\/resubscribe\//;
const showCertRE = /^\/certificate\/showCert\//; const showCertRE = /^\/certificate\/showCert\//;
// note: signin may not have a trailing slash // note: signin may not have a trailing slash
const signinRE = /^\/signin/; const signinRE = /^\/signin/;
const statusRE = /^\/status\/ping$/;
const unsubscribedRE = /^\/unsubscribed\//; const unsubscribedRE = /^\/unsubscribed\//;
const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//; const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//;
const updatePaypalRE = /^\/donate\/update-paypal/; const updatePaypalRE = /^\/donate\/update-paypal/;
const _whiteListREs = [ const _whiteListREs = [
authRE, authRE,
confirmEmailRE,
newsShortLinksRE, newsShortLinksRE,
publicUserRE,
publicUsernameRE,
resubscribeRE, resubscribeRE,
showCertRE, showCertRE,
signinRE, signinRE,
statusRE,
unsubscribedRE, unsubscribedRE,
unsubscribeRE, unsubscribeRE,
updatePaypalRE updatePaypalRE

11
api-server/server/middlewares/request-authorization.test.js
View File

@ -29,21 +29,29 @@ const mockGetUserById = id =>
describe('request-authorization', () => { describe('request-authorization', () => {
describe('isWhiteListedPath', () => { describe('isWhiteListedPath', () => {
const authRE = /^\/auth\//; const authRE = /^\/auth\//;
const confirmEmailRE = /^\/confirm-email$/;
const newsShortLinksRE = /^\/n\/|^\/p\//; const newsShortLinksRE = /^\/n\/|^\/p\//;
const publicUserRE = /^\/api\/users\/get-public-profile$/;
const publicUsernameRE = /^\/api\/users\/exists$/;
const resubscribeRE = /^\/resubscribe\//; const resubscribeRE = /^\/resubscribe\//;
const showCertRE = /^\/certificate\/showCert\//; const showCertRE = /^\/certificate\/showCert\//;
// note: signin may not have a trailing slash // note: signin may not have a trailing slash
const signinRE = /^\/signin/; const signinRE = /^\/signin/;
const statusRE = /^\/status\/ping$/;
const unsubscribedRE = /^\/unsubscribed\//; const unsubscribedRE = /^\/unsubscribed\//;
const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//; const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//;
const updatePaypalRE = /^\/donate\/update-paypal/; const updatePaypalRE = /^\/donate\/update-paypal/;
const whiteList = [ const whiteList = [
authRE, authRE,
confirmEmailRE,
newsShortLinksRE, newsShortLinksRE,
publicUserRE,
publicUsernameRE,
resubscribeRE, resubscribeRE,
showCertRE, showCertRE,
signinRE, signinRE,
statusRE,
unsubscribedRE, unsubscribedRE,
unsubscribeRE, unsubscribeRE,
updatePaypalRE updatePaypalRE
@ -51,13 +59,10 @@ describe('request-authorization', () => {
it('returns a boolean', () => { it('returns a boolean', () => {
const result = isWhiteListedPath(); const result = isWhiteListedPath();
expect(typeof result).toBe('boolean'); expect(typeof result).toBe('boolean');
}); });
it('returns true for a white listed path', () => { it('returns true for a white listed path', () => {
expect.assertions(2);
const resultA = isWhiteListedPath( const resultA = isWhiteListedPath(
'/auth/auth0/callback?code=yF_mGjswLsef-_RLo', '/auth/auth0/callback?code=yF_mGjswLsef-_RLo',
whiteList whiteList