iio/pingvin-share
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: redirect vulnerability on error, sign in and totp page

Browse Source
This commit is contained in:
Elias Schneider
2024-04-05 12:00:41 +02:00
parent 9d1a12b0d1
commit 384fd19203
4 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
frontend/src/components/auth/SignInForm.tsx
View File

@@ -25,6 +25,7 @@ import useTranslate from "../../hooks/useTranslate.hook";
import authService from "../../services/auth.service";
import { getOAuthIcon, getOAuthUrl } from "../../utils/oauth.util";
import toast from "../../utils/toast.util";
import { safeRedirectPath } from "../../utils/router.util";
const useStyles = createStyles((theme) => ({
or: {
@@ -98,7 +99,7 @@ const SignInForm = ({ redirectPath }: { redirectPath: string }) => {
);
} else {
await refreshUser();
router.replace(redirectPath);
router.replace(safeRedirectPath(redirectPath));
}
})
.catch(toast.axiosError);

13
frontend/src/components/auth/TotpForm.tsx
View File

@@ -6,15 +6,16 @@ import {
PinInput,
Title,
} from "@mantine/core";
import { useForm, yupResolver } from "@mantine/form";
import { useRouter } from "next/router";
import { useState } from "react";
import { FormattedMessage } from "react-intl";
import * as yup from "yup";
import useTranslate from "../../hooks/useTranslate.hook";
import { useForm, yupResolver } from "@mantine/form";
import { useState } from "react";
import authService from "../../services/auth.service";
import toast from "../../utils/toast.util";
import { useRouter } from "next/router";
import useUser from "../../hooks/user.hook";
import authService from "../../services/auth.service";
import { safeRedirectPath } from "../../utils/router.util";
import toast from "../../utils/toast.util";
function TotpForm({ redirectPath }: { redirectPath: string }) {
const t = useTranslate();
@@ -46,7 +47,7 @@ function TotpForm({ redirectPath }: { redirectPath: string }) {
router.query.loginToken as string,
);
await refreshUser();
await router.replace(redirectPath);
await router.replace(safeRedirectPath(redirectPath));
} catch (e) {
toast.axiosError(e);
form.setFieldError("code", "error");