Skip to content

Commit

Permalink
fix: Update session user references in handlers for improved security
Browse files Browse the repository at this point in the history
  • Loading branch information
@wajeht
wajeht committed Jan 6, 2025
1 parent 2149836 commit 1237988
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions src/handlers.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ export function getLogoutHandler(req: Request, res: Response) {

// GET /login
export function getLoginHandler(req: Request, res: Response) {
if (req.user) {
if (req.session.user) {
return res.redirect('/search');
}

Expand Down Expand Up @@ -155,7 +155,7 @@ export async function getGithubRedirectHandler(req: Request, res: Response) {
// POST /search
export async function postSearchHandler(req: Request, res: Response) {
const query = req.body.q?.toString().trim() || '';
await search({ res, user: req.user!, query, req });
await search({ res, user: req.session.user!, query, req });
}

/**
Expand Down Expand Up @@ -414,7 +414,7 @@ export async function deleteBookmarkHandler(req: Request, res: Response) {

// GET /bookmarks/:id/edit
export async function getEditBookmarkPageHandler(req: Request, res: Response) {
const bookmark = await bookmarks.read(req.params.id as unknown as number, req.user!.id);
const bookmark = await bookmarks.read(req.params.id as unknown as number, req.session.user!.id);

return res.render('bookmarks-edit.html', {
title: 'Bookmark / Edit',
Expand All @@ -429,7 +429,7 @@ export async function getBookmarkActionCreatePageHandler(req: Request, res: Resp
const bookmark = await db('bookmarks')
.where({
id: req.params.id,
user_id: req.user?.id,
user_id: req.session.user?.id,
})
.first();

Expand Down Expand Up @@ -490,7 +490,7 @@ export async function getExportBookmarksHandler(req: Request, res: Response) {
const bookmarks = (await db
.select('url', 'title', db.raw("strftime('%s', created_at) as add_date"))
.from('bookmarks')
.where({ user_id: req.user?.id })) as BookmarkToExport[];
.where({ user_id: req.session.user?.id })) as BookmarkToExport[];

if (!bookmarks.length) {
req.flash('info', 'no bookmarks to export yet.');
Expand Down Expand Up @@ -529,7 +529,7 @@ export async function getSettingsAccountPageHandler(req: Request, res: Response)

// POST /settings/create-api-key
export async function postSettingsCreateApiKeyHandler(req: Request, res: Response) {
const user = await db('users').where({ id: req.user?.id }).first();
const user = await db('users').where({ id: req.session.user?.id }).first();

if (!user) {
throw NotFoundError();
Expand Down Expand Up @@ -700,7 +700,7 @@ export const postImportDataHandler = [
}),
]),
async (req: Request, res: Response) => {
const userId = req.user?.id;
const userId = req.session.user?.id;
const importData = JSON.parse(req.body.config);

try {
Expand Down Expand Up @@ -754,7 +754,7 @@ export async function getSettingsDangerZonePageHandler(req: Request, res: Respon

// POST /settings/danger-zone/delete
export async function postDeleteSettingsDangerZoneHandler(req: Request, res: Response) {
await db('users').where({ id: req.user?.id }).delete();
await db('users').where({ id: req.session.user?.id }).delete();

if ((req.session && req.session.user) || req.user) {
req.session.user = null;
Expand Down

0 comments on commit 1237988

Please sign in to comment.