New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix most critical security alerts from https://github.com/openwhyd/openwhyd/security/code-scanning #669
Labels
Comments
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 31, 2023
Fixes https://github.com/openwhyd/openwhyd/security/code-scanning/15 and https://github.com/openwhyd/openwhyd/security/code-scanning/14 Contributes to #669. ## Challenge To implement Openwhyd's soft/ajax-based navigation logic (that does not interrupt the music playback when navigating), `jquery.history` has been used indirectly by a jQuery-based abstraction layer of [`window.history`](https://developer.mozilla.org/en-US/docs/Web/API/Window/history): [jQuery History](https://github.com/yeikos/jquery.history). ([source code](https://github.com/yeikos/jquery.history/blob/master/jquery.history.js)) => This PR rewrites that logic, using the browser's History API directly. ## Changes * fix(security): fix: remove `jquery.history` * update snapshots for approval tests * `noDefaultJs` is never set => simplify list of included js files * fix(makefile): add `test-e2e-dev` to open Cypress runner * make e2e tests pass * clean-up logs * use `window.history` explicitly instead of `History` * call `pushState()` just from `goToPage()` * fix: `rootUrl` to make it work from any domain * remove default value for parameter `url` * fix(sonar): use substring instead of substr (deprecated) * fix(sonar): remove commented code
1 task
adrienjoly
added a commit
that referenced
this issue
Oct 15, 2023
…ort (#705) Fork of PR #593. May contribute to #669. ## What does this PR do / solve? Make Openwhyd more secure by delegating auth and user management to Auth0. ## Overview of changes When Auth0 env vars are provided, Openwhyd delegates the following features to Auth0: - login/logout - signup - password change (forgotten or not) - ... Otherwise, the legacy auth and user management implementation is used, as currently. ## How to test this PR? ### Prerequisite To do once for all: 1. setup a Auth0 account with a "user-password" auth database, with "usernames" login enabled 2. paste Auth0 credentials to `env-vars-testing.conf` 3. (re)start openwhyd + db in docker: `$ docker compose up --build --detach` 4. seed test users: `$ make docker-seed` To repeat after each code change: 3. (re)start openwhyd + db: `$ make dev` => when you're done testing, don't forget to run `$ make down`. ### Bulk user import 1. copy-paste [this token](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/apis/management/explorer) to file: `scripts/auth0/.token` 2. run `$ scripts/auth0/import-test-users.sh` 3. check that users are imported: [Users](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/users) + [Logs](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/logs) ### Login+logout 1. open http://localhost:8080 2. click on "log in" => you're redirected to auth0's login page 3. login with `admin`/`admin` or `dummy`/`admin` 4. back on openwhyd, logout ### Signup 1. open http://localhost:8080 2. click on "sign up" => you're redirected to auth0's signup page 3. submit a username (e.g. `adrien`), an email address and a password 4. back on openwhyd, logout 6. follow the "login+logout" procedure (above), to check that you can login with username or email ### Change of email address Once you're logged in: 1. open http://localhost:8080/settings 2. change the email address 3. click "save changes", ignore the error message 4. check that the email address was updated, in [Auth0's user list](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/users) ### Change of password Once you're logged in: 1. open http://localhost:8080/settings 2. click on the "password" tab 3. type the same password in the 3 fields (any valid value will do) 4. click "save changes" => a message tells you that you'll receive an email 6. logout 7. open the email, click the link, pick a new password 8. back on http://localhost:8080, login with your new password ### Change of handle/username Once you're logged in: 1. open http://localhost:8080/settings 2. type a username in the "Custom URL" field 3. click "save changes" 4. logout 5. login with your new username+password ### Account deletion Once you're logged in: 1. open http://localhost:8080/settings 2. click on "delete your account" and confirm 3. check that the user is not listed anymore in [Auth0's user list](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/users) ## TODO / probably worth doing before meging - [ ] import users' Facebook id to Auth0 too, so users can still login to Openwhyd using their Facebook account, after migrating to Auth0 => we could delete all facebook-related code and possibly close #658. => test that it works as expected. ## To be done later - forward change of avatar to Auth0 ## References and resources - Auth0 [Application Details](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/applications/87WcUOdE9SGegwDcZfPRdl4Kw3T21pqs/settings) - npm package used for auth: [express-openid-connect](https://auth0.github.io/express-openid-connect/) - API reference of npm package used for other operations: [node-auth0](https://auth0.github.io/node-auth0/index.html)
adrienjoly
pushed a commit
that referenced
this issue
Oct 15, 2023
adrienjoly
added a commit
that referenced
this issue
Dec 27, 2023
Follow up of #705. May contribute to #669. Usage, from project root dir: ```sh $ mongoexport -d ${dbname} -c user --type=json --out ./prod-users.json-lines -u ${dbuser} -p ${dbpassword} $ node ./scripts/auth0/prepare-import-batches.js # => create files: `prod-users-*.for-auth0.json` $ ./scripts/auth0/import-prod-users.sh ```
adrienjoly
pushed a commit
that referenced
this issue
Dec 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
source: https://github.com/openwhyd/openwhyd/security/code-scanning
The text was updated successfully, but these errors were encountered: