Broken Acess Control - E commerce #644
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey, @meiryleneavelino! Nice job, using a JWT to authenticate the user fixes the broken access control vulnerability. Using an echo Middleware to do this is even more elegant than doing it in the handler code 🚀 I could no longer exploit the vulnerability. However, I found a bug in the application after your changes. Instead of seeing the ticket screen: 
I'm getting this message after the login: 
Could you take a look at that? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This solution refers to which of the apps?
Broken Acess Control - E commerce
The following files were modified:
mongo.go
handlers.go
server.go
To resolve the Broken Access Control issue, it's necessary to verify that the authenticated user is indeed the one who should access the intended content.
To address this, middleware functions were created in the server.go file.
The isAuthorized function aims to check if the user is authorized to access a specific resource, such as a ticket. It extracts the JWT token from the context, retrieves the token's claims, verifies that the user has permission to access the resource (ticket), and returns a 401 Unauthorized if the user is not authorized, or passes the request to the next handler if authorized.
The AuthMiddleware checks if the request header contains a valid JWT token. It extracts the token from the Authorization header, uses the parseToken function to validate the token, and extracts the userID, which is then stored in the request context.
The userHasAccessToTicket function checks, based on the database, whether a user has permission to access a ticket. It uses the database instance (db.DB) to query permissions through the CheckUserPermission function.
In the handlers.go file, the GetTicket function was added. Its purpose is to retrieve information about a ticket for the authenticated user based on the provided user ID. It:
Retrieves the userID stored in the context.
Checks if the data exists and is valid; otherwise, it returns an HTTP 401 Unauthorized error with an appropriate message.
Extracts the user ID, and if they don't match, it returns a 403 Forbidden error.
Queries the database for data related to the UserID.
In the mongo.go file, a CheckUserPermission function was added to check if a user has permission to access a specific ticket. It verifies if there is a document in the tickets collection where the userID and ticketID match the provided values.