fix GHSA-vcr7-g458-c933

Clivern · Jun 7, 2024 · 0ddb4fb · 0ddb4fb
1 parent fd15ef0
commit 0ddb4fb
Show file tree

Hide file tree

Showing 22 changed files with 33 additions and 23,321 deletions.
diff --git a/lib/lynx/middleware/api_auth.ex b/lib/lynx/middleware/api_auth.ex
@@ -20,29 +20,25 @@ defmodule Lynx.Middleware.APIAuthMiddleware do
   Trigger the API Auth Middleware
   """
   def call(conn, _opts) do
-    {_, user_token} =
-      Enum.find(conn.req_headers, fn {key, _value} -> String.downcase(key) == "x-user-token" end) ||
-        {nil, nil}
-
-    {_, user_id} =
-      Enum.find(conn.req_headers, fn {key, _value} -> String.downcase(key) == "x-user-id" end) ||
-        {nil, nil}
+    conn = fetch_session(conn)
+    user_token = get_session(conn, :token)
+    user_id = get_session(conn, :uid)
 
     {_, api_key} =
       Enum.find(conn.req_headers, fn {key, _value} -> String.downcase(key) == "x-api-key" end) ||
         {nil, nil}
 
     # Logging
     if is_nil(user_token) do
-      Logger.info("X-USER-TOKEN header is not in the request")
+      Logger.info("User token is not in the request")
     else
-      Logger.info("X-USER-TOKEN header is in the request")
+      Logger.info("User token is in the request")
     end
 
     if is_nil(user_id) do
-      Logger.info("X-USER-ID header is not in the request")
+      Logger.info("User id is not in the request")
     else
-      Logger.info("X-USER-ID header is in the request")
+      Logger.info("User id is in the request")
     end
 
     if is_nil(api_key) do

diff --git a/lib/lynx/middleware/ui_auth.ex b/lib/lynx/middleware/ui_auth.ex
@@ -11,6 +11,8 @@ defmodule Lynx.Middleware.UIAuthMiddleware do
 
   require Logger
 
+  import Plug.Conn
+
   alias Lynx.Module.UserModule
   alias Lynx.Service.AuthService
 
@@ -24,20 +26,22 @@ defmodule Lynx.Middleware.UIAuthMiddleware do
   _token: the session value
   """
   def call(conn, _opts) do
-    uid = conn.req_cookies["_uid"]
-    token = conn.req_cookies["_token"]
+    conn = fetch_session(conn)
+
+    token = get_session(conn, :token)
+    uid = get_session(conn, :uid)
 
     # Logging
     if is_nil(uid) do
-      Logger.info("_uid cookie is not in the request")
+      Logger.info("uid cookie is not in the request")
     else
-      Logger.info("_uid cookie is in the request")
+      Logger.info("uid cookie is in the request")
     end
 
     if is_nil(token) do
-      Logger.info("_token cookie is not in the request")
+      Logger.info("token cookie is not in the request")
     else
-      Logger.info("_token cookie is in the request")
+      Logger.info("token cookie is in the request")
     end
 
     result = AuthService.is_authenticated(uid, token)

diff --git a/lib/lynx_web/controllers/misc_controller.ex b/lib/lynx_web/controllers/misc_controller.ex
@@ -14,6 +14,8 @@ defmodule LynxWeb.MiscController do
   @app_name_min_length 2
   @app_name_max_length 60
 
+  import Plug.Conn
+
   alias Lynx.Module.InstallModule
   alias Lynx.Service.ValidatorService
   alias Lynx.Service.AuthService
@@ -70,14 +72,16 @@ defmodule LynxWeb.MiscController do
       # Authenticate
       case AuthService.login(email, password) do
         {:success, session} ->
+          conn = fetch_session(conn)
+
           conn
           |> put_status(:ok)
+          |> put_session(:token, session.value)
+          |> put_session(:uid, session.user_id)
           |> render(
             "token_success.json",
             %{
-              message: "User logged in successfully!",
-              token: session.value,
-              user: session.user_id
+              message: "User logged in successfully!"
             }
           )
 

diff --git a/lib/lynx_web/endpoint.ex b/lib/lynx_web/endpoint.ex
@@ -10,8 +10,11 @@ defmodule LynxWeb.Endpoint do
   # Set :encryption_salt if you would also like to encrypt it.
   @session_options [
     store: :cookie,
-    key: "_lynx_key",
-    signing_salt: "Z+Rs6bdk"
+    key: "_lynx_bag",
+    signing_salt: "Z+Rs6bdk",
+    encryption_salt:
+      System.get_env("APP_SECRET") ||
+        "koPmu7TJCwD8mttV9vgWUeU7iuu/zTPOR3sX4UalM9KkYEVGPfyi0PeTVzu1TT8C"
   ]
 
   socket "/live", Phoenix.LiveView.Socket, websocket: [connect_info: [session: @session_options]]

diff --git a/lib/lynx_web/views/misc_view.ex b/lib/lynx_web/views/misc_view.ex
@@ -13,11 +13,9 @@ defmodule LynxWeb.MiscView do
     %{successMessage: message}
   end
 
-  def render("token_success.json", %{message: message, token: token, user: user}) do
+  def render("token_success.json", %{message: message}) do
     %{
-      successMessage: message,
-      token: token,
-      user: user
+      successMessage: message
     }
   end
 end
diff --git a/...ckend-c667d27bf700df80fc3df5b1bdb62d5d.js → ...ckend-1647f9ea7953bcb7b41de6539835e9fe.js b/...ckend-c667d27bf700df80fc3df5b1bdb62d5d.js → ...ckend-1647f9ea7953bcb7b41de6539835e9fe.js
@@ -136,8 +136,6 @@ lynx_app.login_screen = (Vue, axios, $) => {
                     .then((response) => {
                         if (response.status >= 200) {
                             show_notification(response.data.successMessage);
-                            Cookies.set('_token', response.data.token);
-                            Cookies.set('_uid', response.data.user);
                             location.reload();
                         }
                     })
@@ -1067,9 +1065,7 @@ lynx_app.add_snapshot_modal = (Vue, axios, $) => {
 $(document).ready(() => {
     axios.defaults.headers.common = {
         'X-Requested-With': 'XMLHttpRequest',
-        'X-CSRF-Token': csrfToken,
-        'X-User-Token': Cookies.get('_token') || '',
-        'X-User-Id': Cookies.get('_uid') || ''
+        'X-CSRF-Token': csrfToken
     };
 
     if (document.getElementById("app_install")) {

diff --git a/priv/static/theme/app/backend-1647f9ea7953bcb7b41de6539835e9fe.js.gz b/priv/static/theme/app/backend-1647f9ea7953bcb7b41de6539835e9fe.js.gz