fix most critical security alerts from https://github.com/openwhyd/openwhyd/security/code-scanning #669
Assignees
Labels
Comments
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 20, 2023
adrienjoly
added a commit
that referenced
this issue
Aug 31, 2023
Fixes https://github.com/openwhyd/openwhyd/security/code-scanning/15 and https://github.com/openwhyd/openwhyd/security/code-scanning/14 Contributes to #669. ## Challenge To implement Openwhyd's soft/ajax-based navigation logic (that does not interrupt the music playback when navigating), `jquery.history` has been used indirectly by a jQuery-based abstraction layer of [`window.history`](https://developer.mozilla.org/en-US/docs/Web/API/Window/history): [jQuery History](https://github.com/yeikos/jquery.history). ([source code](https://github.com/yeikos/jquery.history/blob/master/jquery.history.js)) => This PR rewrites that logic, using the browser's History API directly. ## Changes * fix(security): fix: remove `jquery.history` * update snapshots for approval tests * `noDefaultJs` is never set => simplify list of included js files * fix(makefile): add `test-e2e-dev` to open Cypress runner * make e2e tests pass * clean-up logs * use `window.history` explicitly instead of `History` * call `pushState()` just from `goToPage()` * fix: `rootUrl` to make it work from any domain * remove default value for parameter `url` * fix(sonar): use substring instead of substr (deprecated) * fix(sonar): remove commented code
1 task
adrienjoly
added a commit
that referenced
this issue
Oct 15, 2023
…ort (#705) Fork of PR #593. May contribute to #669. ## What does this PR do / solve? Make Openwhyd more secure by delegating auth and user management to Auth0. ## Overview of changes When Auth0 env vars are provided, Openwhyd delegates the following features to Auth0: - login/logout - signup - password change (forgotten or not) - ... Otherwise, the legacy auth and user management implementation is used, as currently. ## How to test this PR? ### Prerequisite To do once for all: 1. setup a Auth0 account with a "user-password" auth database, with "usernames" login enabled 2. paste Auth0 credentials to `env-vars-testing.conf` 3. (re)start openwhyd + db in docker: `$ docker compose up --build --detach` 4. seed test users: `$ make docker-seed` To repeat after each code change: 3. (re)start openwhyd + db: `$ make dev` => when you're done testing, don't forget to run `$ make down`. ### Bulk user import 1. copy-paste [this token](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/apis/management/explorer) to file: `scripts/auth0/.token` 2. run `$ scripts/auth0/import-test-users.sh` 3. check that users are imported: [Users](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/users) + [Logs](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/logs) ### Login+logout 1. open http://localhost:8080 2. click on "log in" => you're redirected to auth0's login page 3. login with `admin`/`admin` or `dummy`/`admin` 4. back on openwhyd, logout ### Signup 1. open http://localhost:8080 2. click on "sign up" => you're redirected to auth0's signup page 3. submit a username (e.g. `adrien`), an email address and a password 4. back on openwhyd, logout 6. follow the "login+logout" procedure (above), to check that you can login with username or email ### Change of email address Once you're logged in: 1. open http://localhost:8080/settings 2. change the email address 3. click "save changes", ignore the error message 4. check that the email address was updated, in [Auth0's user list](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/users) ### Change of password Once you're logged in: 1. open http://localhost:8080/settings 2. click on the "password" tab 3. type the same password in the 3 fields (any valid value will do) 4. click "save changes" => a message tells you that you'll receive an email 6. logout 7. open the email, click the link, pick a new password 8. back on http://localhost:8080, login with your new password ### Change of handle/username Once you're logged in: 1. open http://localhost:8080/settings 2. type a username in the "Custom URL" field 3. click "save changes" 4. logout 5. login with your new username+password ### Account deletion Once you're logged in: 1. open http://localhost:8080/settings 2. click on "delete your account" and confirm 3. check that the user is not listed anymore in [Auth0's user list](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/users) ## TODO / probably worth doing before meging - [ ] import users' Facebook id to Auth0 too, so users can still login to Openwhyd using their Facebook account, after migrating to Auth0 => we could delete all facebook-related code and possibly close #658. => test that it works as expected. ## To be done later - forward change of avatar to Auth0 ## References and resources - Auth0 [Application Details](https://manage.auth0.com/dashboard/eu/dev-vh1nl8wh3gmzgnhp/applications/87WcUOdE9SGegwDcZfPRdl4Kw3T21pqs/settings) - npm package used for auth: [express-openid-connect](https://auth0.github.io/express-openid-connect/) - API reference of npm package used for other operations: [node-auth0](https://auth0.github.io/node-auth0/index.html)
adrienjoly
pushed a commit
that referenced
this issue
Oct 15, 2023
adrienjoly
added a commit
that referenced
this issue
Dec 27, 2023
Follow up of #705. May contribute to #669. Usage, from project root dir: ```sh $ mongoexport -d ${dbname} -c user --type=json --out ./prod-users.json-lines -u ${dbuser} -p ${dbpassword} $ node ./scripts/auth0/prepare-import-batches.js # => create files: `prod-users-*.for-auth0.json` $ ./scripts/auth0/import-prod-users.sh ```
adrienjoly
pushed a commit
that referenced
this issue
Dec 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
source: https://github.com/openwhyd/openwhyd/security/code-scanning
The text was updated successfully, but these errors were encountered: