Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

validate player secrets on public API requests #125

Merged
merged 21 commits into from
Aug 18, 2021

Conversation

matthewejones
Copy link
Contributor

@matthewejones matthewejones commented Aug 9, 2021

done:

  • Validate player secrets for the following public api requests:

    • players
    • model
    • download
    • download/text
  • Download buttons use get request

todo:

  • send requests with secret in custom header

Resolves #70

let filename = this.getFilename(res);
res.blob().then(fileBlob => {
var url = URL.createObjectURL(fileBlob);
var a = document.createElement('a');
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it really the best way to temporarily create an a-tag?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, we should be consistent with using 'let' and 'var'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we may have talked about this, I couldn't actually get it to download using window.assign() or window.open() it would just display the file on the screen

@matthewejones
Copy link
Contributor Author

  • I've changed everything to use basic auth now.
  • I also added some error handling so instead of the game crashing it will just print errors in the console. For the download buttons I've made them turn red like the copybuttons to give the user some feedback when they don't work
  • I changed the copybuttons to use async, await and try{}catch{} instead of promises. I think this makes it more consistent with the rest of the application. I don't know much about promises/async functions so let me know if this is wrong/worse somehow

router.get('/model/:id', async (ctx) => {
const matchID = ctx.params.id;
//authorise
router.use('/:matchID/', async (ctx, next) => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand it correctly that routes above this router.use() call are not authenticated and only the ones belows actually are?

If yes, I am not sure if this is a good solution. This will definitly lead to confusion if someone wants to add another endpoint in the future... Would it be possible to attach the middleware only to certain routes (and make this explicit)? Or alternatively, could you add something like a whitelist, such that the middleware by default wants to authorize everything and only the routes in the whitelist are not considered?

Copy link
Contributor Author

@matthewejones matthewejones Aug 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be that the routes which match the path '/:matchID/' use the authorisation.
the syntax is router.use(path, callback) where the path is either a string or an array of paths.
It might be better to use '/:matchID/*' (which acts the same but might be a bit clearer)
or to explicitly list all the complete paths: ['/:matchID/players', '/:matchID/model/', ... ]

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see. Cool! I think '/:matchID/*' would be good. Then the logic is that everything specific to a game should be authenticated, which sounds reasonable to me.

Just for clearity, could you move the router.use() statement above all the route definitions? And could you please mention in the comment that the middleware only applies to the '/:matchID/*' routes, please?

@ChristophNiehoff
Copy link
Collaborator

@matthewejones Just had a manual test of this PR. Works great! I love it!
And regarding your question: Personally, I prefer async/await over promises as I think that makes the code more readable. So, I am very happy with your change!

@ChristophNiehoff ChristophNiehoff merged commit 9bd0106 into dehydr8:master Aug 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Player secrets are not validated
2 participants