OpenBAS-Platform · MarineLeM · Nov 4, 2024 · Oct 31, 2024 · Oct 31, 2024 · Oct 31, 2024
diff --git a/openbas-api/src/main/java/io/openbas/rest/helper/RestBehavior.java b/openbas-api/src/main/java/io/openbas/rest/helper/RestBehavior.java
@@ -22,6 +22,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.validation.FieldError;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -92,10 +93,10 @@
   }
 
   @ResponseStatus(HttpStatus.UNAUTHORIZED)
-  @ExceptionHandler(AccessDeniedException.class)
+  @ExceptionHandler(AuthenticationException.class)
   public ValidationErrorBag handleValidationExceptions() {
     ValidationErrorBag bag =
-        new ValidationErrorBag(HttpStatus.UNAUTHORIZED.value(), "ACCESS_DENIED");
+        new ValidationErrorBag(HttpStatus.UNAUTHORIZED.value(), "AUTHENTIFICATION_FAILED");
     ValidationError errors = new ValidationError();
     Map<String, ValidationContent> errorsBag = new HashMap<>();
     errorsBag.put("username", new ValidationContent("Invalid user or password"));
@@ -104,6 +105,17 @@
     return bag;
   }
 
+  @ResponseStatus(HttpStatus.NOT_FOUND)
+  @ExceptionHandler(AccessDeniedException.class)
+  public ValidationErrorBag handleAccessDeniedExceptions() {
+    // When the user does not have the appropriate access rights, return 404 Not Found.
+    // This response indicates that the resource does not exist, preventing any information
+    // disclosure
+    // about the resource and reducing the risk of brute force attacks by not confirming its
+    // existence
+    return new ValidationErrorBag(HttpStatus.NOT_FOUND.value(), "NOT_FOUND");
+  }
+
   @ResponseStatus(HttpStatus.CONFLICT)
   @ExceptionHandler(DataIntegrityViolationException.class)
   public ViolationErrorBag handleIntegrityException(DataIntegrityViolationException e) {

diff --git a/openbas-api/src/main/java/io/openbas/rest/user/UserApi.java b/openbas-api/src/main/java/io/openbas/rest/user/UserApi.java
@@ -35,6 +35,7 @@
 import org.springframework.data.jpa.domain.Specification;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.web.bind.annotation.*;
 
 @RestController
@@ -82,7 +83,7 @@ public User login(@Valid @RequestBody LoginUserInput input) {
         return user;
       }
     }
-    throw new AccessDeniedException("Invalid credentials");
+    throw new BadCredentialsException("Invalid credential.");
   }
 
   @PostMapping("/api/reset")

diff --git a/openbas-front/src/admin/Index.tsx b/openbas-front/src/admin/Index.tsx
@@ -1,7 +1,7 @@
 import { Box } from '@mui/material';
 import { makeStyles, useTheme } from '@mui/styles';
-import { lazy, Suspense } from 'react';
-import { Route, Routes, useNavigate } from 'react-router-dom';
+import { lazy, Suspense, useEffect } from 'react';
+import { Navigate, Route, Routes, useNavigate } from 'react-router-dom';
 
 import type { LoggedHelper } from '../actions/helper';
 import { fetchTags } from '../actions/Tag';
@@ -47,9 +47,13 @@ const Index = () => {
   const { logged, settings } = useHelper((helper: LoggedHelper) => {
     return { logged: helper.logged(), settings: helper.getPlatformSettings() };
   });
-  if (logged.isOnlyPlayer) {
-    navigate('/private');
-  }
+
+  useEffect(() => {
+    if (logged.isOnlyPlayer) {
+      navigate('/');
+    }
+  }, [logged]);
+
   const boxSx = {
     flexGrow: 1,
     padding: 3,
@@ -99,7 +103,11 @@ const Index = () => {
               <Route path="mitigations" element={errorWrapper(Mitigations)()} />
               <Route path="integrations/*" element={errorWrapper(IndexIntegrations)()} />
               <Route path="agents/*" element={errorWrapper(IndexAgents)()} />
-              <Route path="settings/*" element={errorWrapper(IndexSettings)()} />
+              <Route
+                path="settings/*"
+                element={logged.admin ? errorWrapper(IndexSettings)()
+                  : <Navigate to="/" replace={true} />}
+              />
               {/* Not found */}
               <Route path="*" element={<NotFound />} />
             </Routes>

diff --git a/openbas-front/src/admin/components/nav/TopBar.tsx b/openbas-front/src/admin/components/nav/TopBar.tsx
@@ -143,6 +143,7 @@ const TopBar: React.FC = () => {
   });
   const handleLogout = async () => {
     await dispatch(logout());
+    navigate('/');
     handleCloseMenu();
   };
 

diff --git a/openbas-front/src/private/components/nav/TopBar.tsx b/openbas-front/src/private/components/nav/TopBar.tsx
@@ -3,7 +3,7 @@ import { AppBar, IconButton, Menu, MenuItem, MenuProps, Toolbar } from '@mui/mat
 import { makeStyles, useTheme } from '@mui/styles';
 import { useState } from 'react';
 import * as React from 'react';
-import { Link } from 'react-router-dom';
+import { Link, useNavigate } from 'react-router-dom';
 
 import { logout } from '../../../actions/Application';
 import { useFormatter } from '../../../components/i18n';
@@ -38,6 +38,7 @@ const TopBar: React.FC = () => {
   const theme = useTheme<Theme>();
   const classes = useStyles();
   const { t } = useFormatter();
+  const navigate = useNavigate();
   const [open, setOpen] = useState(false);
   const [anchorEl, setAnchorEl] = useState<MenuProps['anchorEl']>(null);
   const dispatch = useAppDispatch();
@@ -51,6 +52,7 @@ const TopBar: React.FC = () => {
   };
   const handleLogout = async () => {
     await dispatch(logout());
+    navigate('/');
     setOpen(false);
   };
   return (

diff --git a/openbas-front/src/root.tsx b/openbas-front/src/root.tsx
@@ -1,6 +1,5 @@
 import { CssBaseline } from '@mui/material';
 import { StyledEngineProvider } from '@mui/material/styles';
-import * as R from 'ramda';
 import { lazy, Suspense, useEffect } from 'react';
 import { Navigate, Route, Routes } from 'react-router-dom';
 
@@ -35,9 +34,7 @@ const Root = () => {
     dispatch(fetchMe());
     dispatch(fetchPlatformParameters());
   }, []);
-  if (R.isEmpty(logged)) {
-    return <div />;
-  }
+
   if (!logged || !me || !settings) {
     return (
       <Suspense fallback={<Loader />}>

diff --git a/openbas-front/src/utils/Action.ts b/openbas-front/src/utils/Action.ts
@@ -46,8 +46,8 @@ const notifyError = (error: AxiosError) => {
     locale: LANG,
     messages: i18n.messages[LANG as keyof typeof i18n.messages],
   }, cache);
-  if (error.status === 401) {
-    // Do not notify the user, as a 401 error will already trigger a disconnection
+  if (error.status === 401 || error.status === 404) {
+    // Do not notify the user, as a 401 error will already trigger a disconnection, as 404 already handle inside the app
   } else if (error.status === 409) {
     MESSAGING$.notifyError(intl.formatMessage({ id: 'The element already exists' }));
   } else if (error.status === 500) {