Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities #59

Merged
merged 8 commits into from
Feb 21, 2025
Merged

Security vulnerabilities #59

merged 8 commits into from
Feb 21, 2025

Conversation

theosiemensrhodes
Copy link
Contributor

Changelog

  • Updated our reset-password flow to be 1 request instead of 2. Previously it was possible to reset your own password with just an auth token by sending requests directly to the backend.
  • Updated all frontend requests (excluding login, signup, etc) to include their auth token in the headers.
    • On the backend we check this for every request where the user should be valid.
    • If they are not valid or there is no auth token we send back 401 for unauthorized.
    • Then on the frontend we listen for any 401 errors and logout the user accordingly.
  • On the backend, when querying/updating users from querying/updating user passwords.
    • getUserById(user_id: string, password: boolean = false) exclude password by default here
    • updateUserPassword(user_id: string, password: string) only update user password here

Let me know if anything isn't clear here!

@theosiemensrhodes
change password, 1 call, prevent req mocking
4b9d0bf
@theosiemensrhodes
add auth for every route
4561526
@theosiemensrhodes
remove logs, and excess auth token sending
8b412cb
@theosiemensrhodes
Squashed commit of the following:
a1afe16 
commit 3766612
Author: theosiemensrhodes <[email protected]>
Date:   Wed Feb 12 10:50:06 2025 -0800

    update frontend to match sql

commit 06ac697
Author: Theo Siemens-Rhodes <[email protected]>
Date:   Wed Feb 12 10:34:43 2025 -0800

    Volunteer Profile Imgs in Side Panel & Ensure admin users have login (#58)

    * add f_name, l_name to user, ensure admin login is successful

    * ensure f_name, l_name inserted, ensure inactive volunteers cannot login

commit 9a24013
Merge: 3a37582 9f8fce7
Author: Josh Fung <[email protected]>
Date:   Tue Feb 11 23:29:28 2025 -0800

    Merge pull request #57 from ubclaunchpad/schedule-button-status-logic

    Schedule Page Logic

commit 9f8fce7
Author: Josh Fung <[email protected]>
Date:   Tue Feb 11 23:08:13 2025 -0800

    Added thirty minute window to check-in before and after the shift

commit bfce70e
Merge: 74daca8 3a37582
Author: Josh Fung <[email protected]>
Date:   Sun Feb 9 16:44:11 2025 -0800

    Merge branch 'main' into schedule-button-status-logic

commit 74daca8
Author: Josh Fung <[email protected]>
Date:   Sat Feb 8 22:41:58 2025 -0800

    Fixed shift cards on volunteer dashboard

commit 7e0721c
Author: Josh Fung <[email protected]>
Date:   Thu Feb 6 19:00:12 2025 -0800

    Made panel more similar to designs and buttons more reusable

commit 600e13b
Author: Josh Fung <[email protected]>
Date:   Thu Feb 6 17:44:51 2025 -0800

    Past and fulfilled coverage requests are no longer shown

commit ef3f8f5
Merge: 01008da 6842393
Author: Josh Fung <[email protected]>
Date:   Thu Feb 6 16:57:21 2025 -0800

    Merge branch 'main' into schedule-button-status-logic

commit 01008da
Author: Josh Fung <[email protected]>
Date:   Thu Feb 6 16:23:22 2025 -0800

    Added a different status for your fulfilled coverage requests

commit 584d609
Author: Josh Fung <[email protected]>
Date:   Thu Feb 6 12:25:38 2025 -0800

    Refactor and cleanup

commit 5d3403a
Author: Josh Fung <[email protected]>
Date:   Tue Feb 4 15:36:08 2025 -0800

    Added logic for cancelling shift coverage request

commit fd5ca84
Author: Josh Fung <[email protected]>
Date:   Tue Feb 4 00:57:05 2025 -0800

    Added canceling on covering someone else's shift

commit fb625b2
Merge: 3b9120c 9afcfc8
Author: Josh Fung <[email protected]>
Date:   Tue Feb 4 00:14:45 2025 -0800

    Merge branch 'main' into schedule-button-status-logic

commit 3b9120c
Author: Josh Fung <[email protected]>
Date:   Fri Jan 31 12:42:24 2025 -0800

    Implemented basic cover shift logic and re-rendering side panel

commit 2a56827
Author: Josh Fung <[email protected]>
Date:   Tue Jan 28 20:24:07 2025 -0800

    Implemented check in from frontend and refactored so details panel is re-rendered

commit e9ff8bd
Author: Josh Fung <[email protected]>
Date:   Sun Jan 26 19:21:24 2025 -0800

    Created API endpoint and routes for shift check-in

commit 4a03f0b
Author: Josh Fung <[email protected]>
Date:   Sun Jan 26 17:29:46 2025 -0800

    Corrected prioritization of user's coverage requests over user's shifts

commit 822cf24
Author: Josh Fung <[email protected]>
Date:   Sun Jan 26 17:25:21 2025 -0800

    Refactored to reuse fetchShifts()

commit fe30e39
Author: Josh Fung <[email protected]>
Date:   Sun Jan 26 16:46:27 2025 -0800

    Filter out duplicate shifts and prioritize showing coverage shifts over user's own shifts
@theosiemensrhodes
Merge main into branch
02cdb72
@theosiemensrhodes
fix main merge
2c5f402
@theosiemensrhodes
updateUser error change
37305b8
jjessieshang
jjessieshang approved these changes Feb 18, 2025
View reviewed changes
Copy link
Collaborator

@jjessieshang jjessieshang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good to me!

@theosiemensrhodes theosiemensrhodes merged commit e86fa9c into main Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjessieshang jjessieshang jjessieshang approved these changes

@gigabite-pro gigabite-pro Awaiting requested review from gigabite-pro

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@theosiemensrhodes @jjessieshang