Skip to content

Commit c6fea0d

Browse files
fuzziecoderfuzziecoder
authored
Merge pull request #47 from fuzziecoder/codex/fix-major-issue-in-backend
Fix broken authz check for GET /api/orders/:id
2 parents b16f8e4 + 0e2194c commit c6fea0d

2 files changed

Lines changed: 50 additions & 2 deletions

File tree

backend/db.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,21 @@ export const database = {
163163
);
164164
},
165165

166+
getUserById(userId) {
167+
const user = state.users.find((entry) => entry.id === userId);
168+
169+
if (!user) {
170+
return null;
171+
}
172+
173+
return {
174+
id: user.id,
175+
username: user.username,
176+
name: user.name,
177+
role: user.role,
178+
};
179+
},
180+
166181
userExists(userId) {
167182
return state.users.some((user) => user.id === userId);
168183
},

backend/server.js

Lines changed: 35 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,33 @@ const clearRateLimitState = (key) => {
4848
loginAttempts.delete(key);
4949
};
5050

51+
const parseBearerToken = (authHeader) => {
52+
if (typeof authHeader !== 'string') {
53+
return null;
54+
}
55+
56+
const [scheme, token] = authHeader.trim().split(/\s+/, 2);
57+
if (!scheme || !token || scheme.toLowerCase() !== 'bearer') {
58+
return null;
59+
}
60+
61+
return token;
62+
};
63+
64+
const getUserFromAuthHeader = (authHeader) => {
65+
const token = parseBearerToken(authHeader);
66+
if (!token || !token.startsWith('demo-token-')) {
67+
return null;
68+
}
69+
70+
const userId = token.slice('demo-token-'.length);
71+
if (!userId) {
72+
return null;
73+
}
74+
75+
return database.getUserById(userId);
76+
};
77+
5178
const recordFailedLoginAttempt = (key) => {
5279
const now = Date.now();
5380
const state = getRateLimitState(key);
@@ -181,8 +208,8 @@ const server = createServer(async (req, res) => {
181208
if (method === 'GET' && path.startsWith('/api/orders/')) {
182209
const orderId = path.replace('/api/orders/', '');
183210

184-
const authHeader = req.headers.authorization;
185-
if (!authHeader) {
211+
const authedUser = getUserFromAuthHeader(req.headers.authorization);
212+
if (!authedUser) {
186213
sendJson(res, 401, { error: 'Unauthorized' });
187214
return;
188215
}
@@ -194,6 +221,12 @@ const server = createServer(async (req, res) => {
194221
return;
195222
}
196223

224+
const isAdmin = authedUser.role === 'admin';
225+
if (!isAdmin && order.userId !== authedUser.id) {
226+
sendJson(res, 403, { error: 'Forbidden' });
227+
return;
228+
}
229+
197230
sendJson(res, 200, order);
198231
return;
199232
}

0 commit comments

Comments
 (0)