Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/api/change-access-code and /manage pages are potentially public #45

Open
qvd808 opened this issue Aug 20, 2024 · 1 comment
Open

/api/change-access-code and /manage pages are potentially public #45

qvd808 opened this issue Aug 20, 2024 · 1 comment
Assignees
@dangminhduc1101
Labels
priority/low Not a pressing issue, can be handled later severity/high Substantially disrupting but not completely block users type/question Further information is requested

Comments

@qvd808
Copy link
Collaborator

qvd808 commented Aug 20, 2024
edited by dangminhduc1101
Loading

Problem

/api/change-access-code does not require authentication, meaning anyone understanding the API logic can potentially change the access code. Similarly, right now, we can access the /manage pages via URL instead of through /manage-login.

Note

We'll address this later, after completing the change access code functionality.
@qvd808 qvd808 assigned qvd808, Sallin142 and dangminhduc1101 and unassigned qvd808 Aug 20, 2024
@dangminhduc1101 dangminhduc1101 changed the title Pretty scary!!! /api/change-access-code is potentially public Sep 17, 2024
@dangminhduc1101 dangminhduc1101 added type/question Further information is requested severity/critical Completely blocks users from using the application priority/low Not a pressing issue, can be handled later labels Sep 17, 2024
@dangminhduc1101 dangminhduc1101 added severity/high Substantially disrupting but not completely block users and removed severity/critical Completely blocks users from using the application labels Sep 17, 2024
@dangminhduc1101 dangminhduc1101 changed the title /api/change-access-code is potentially public /api/change-access-code and /manage pages are potentially public Sep 18, 2024
@dangminhduc1101
Copy link
Collaborator

#46 and #48 are resolved, so @qvd808 can take a look at this. This might be a good place to start: https://nextjs.org/docs/app/building-your-application/routing/middleware

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dangminhduc1101 dangminhduc1101

Labels
priority/low Not a pressing issue, can be handled later severity/high Substantially disrupting but not completely block users type/question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Sallin142 @dangminhduc1101 @qvd808