From 74e09ba4c4f968534810ce3b864c2eb7c83166f3 Mon Sep 17 00:00:00 2001 From: Briggette Date: Mon, 4 Nov 2024 16:02:21 -0300 Subject: [PATCH 1/3] Adding access control for current user --- owasp-top10-2021-apps/a1/tictactoe/src/app.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/owasp-top10-2021-apps/a1/tictactoe/src/app.js b/owasp-top10-2021-apps/a1/tictactoe/src/app.js index 83a81c938..c72a9f6b7 100644 --- a/owasp-top10-2021-apps/a1/tictactoe/src/app.js +++ b/owasp-top10-2021-apps/a1/tictactoe/src/app.js @@ -7,6 +7,7 @@ const crypto = require('./crypto') const cookieParser = require('cookie-parser'); const logger = require('morgan'); const helmet = require('helmet'); +const { verify } = require('crypto'); db.createTables() @@ -56,6 +57,9 @@ app.get('/healthcheck', (req, res) => { app.post('/game', verifyJWT, async (req, res) => { const user = req.body.user const result = req.body.result + + verifyCurrentUser(req, res) + let statistics = await db.getStatisticsFromUser(user) if (statistics === null){ return res.sendStatus(400) @@ -120,6 +124,7 @@ app.post('/create', async (req, res) => { app.get('/statistics/data', verifyJWT, async (req, res) => { const user = req.query.user + verifyCurrentUser(req, res) let statistics = await db.getStatisticsFromUser(user) if (statistics === undefined){ @@ -176,6 +181,18 @@ app.post('/login', async (req, res) => { .redirect('/game') }); +// Access control +function verifyCurrentUser(req, res) { + var token = req.cookies.tictacsession + var currentUser = jwt.decode(token).username + + if (currentUser != req.body.user){ + res + .status(403) + .json({msg: "Do no have permission!"}) + } +} + function verifyJWT(req, res, next){ var token = req.cookies.tictacsession if (!token){ From d3ea7696b238c79358f96de055fbd1aab66128a3 Mon Sep 17 00:00:00 2001 From: Briggette Roman Date: Mon, 4 Nov 2024 16:26:38 -0300 Subject: [PATCH 2/3] removing unused library --- owasp-top10-2021-apps/a1/tictactoe/src/app.js | 1 - 1 file changed, 1 deletion(-) diff --git a/owasp-top10-2021-apps/a1/tictactoe/src/app.js b/owasp-top10-2021-apps/a1/tictactoe/src/app.js index c72a9f6b7..5870c9aff 100644 --- a/owasp-top10-2021-apps/a1/tictactoe/src/app.js +++ b/owasp-top10-2021-apps/a1/tictactoe/src/app.js @@ -7,7 +7,6 @@ const crypto = require('./crypto') const cookieParser = require('cookie-parser'); const logger = require('morgan'); const helmet = require('helmet'); -const { verify } = require('crypto'); db.createTables() From 67f99e51dea29e1c4b86fc59d55ba66990bcca8a Mon Sep 17 00:00:00 2001 From: Briggette Roman Date: Wed, 6 Nov 2024 16:08:30 -0300 Subject: [PATCH 3/3] add user parameter to check in function verifyCurrentUser --- owasp-top10-2021-apps/a1/tictactoe/src/app.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/owasp-top10-2021-apps/a1/tictactoe/src/app.js b/owasp-top10-2021-apps/a1/tictactoe/src/app.js index 5870c9aff..aa475af47 100644 --- a/owasp-top10-2021-apps/a1/tictactoe/src/app.js +++ b/owasp-top10-2021-apps/a1/tictactoe/src/app.js @@ -57,7 +57,7 @@ app.post('/game', verifyJWT, async (req, res) => { const user = req.body.user const result = req.body.result - verifyCurrentUser(req, res) + verifyCurrentUser(req, user, res) let statistics = await db.getStatisticsFromUser(user) if (statistics === null){ @@ -123,7 +123,7 @@ app.post('/create', async (req, res) => { app.get('/statistics/data', verifyJWT, async (req, res) => { const user = req.query.user - verifyCurrentUser(req, res) + verifyCurrentUser(req, user, res) let statistics = await db.getStatisticsFromUser(user) if (statistics === undefined){ @@ -181,11 +181,11 @@ app.post('/login', async (req, res) => { }); // Access control -function verifyCurrentUser(req, res) { +function verifyCurrentUser(req, user, res) { var token = req.cookies.tictacsession var currentUser = jwt.decode(token).username - if (currentUser != req.body.user){ + if (currentUser != user){ res .status(403) .json({msg: "Do no have permission!"})