Missing files
This commit is contained in:
@@ -45,7 +45,7 @@ public static class StateEndpoints
|
|||||||
{
|
{
|
||||||
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
|
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
|
||||||
if (player is null) return Results.Unauthorized();
|
if (player is null) return Results.Unauthorized();
|
||||||
var isAdmin = await EndpointHelpers.IsAdmin(ctx, db, config);
|
var isAdmin = await EndpointHelpers.IsAdmin(ctx, db);
|
||||||
|
|
||||||
var next = NextPhase(player.CurrentPhase);
|
var next = NextPhase(player.CurrentPhase);
|
||||||
var appState = await db.AppState.FirstAsync();
|
var appState = await db.AppState.FirstAsync();
|
||||||
@@ -65,7 +65,7 @@ public static class StateEndpoints
|
|||||||
{
|
{
|
||||||
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
|
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
|
||||||
if (player is null) return Results.Unauthorized();
|
if (player is null) return Results.Unauthorized();
|
||||||
var isAdmin = await EndpointHelpers.IsAdmin(ctx, db, config);
|
var isAdmin = await EndpointHelpers.IsAdmin(ctx, db);
|
||||||
if (!isAdmin)
|
if (!isAdmin)
|
||||||
{
|
{
|
||||||
return Results.BadRequest(new { error = "Only admins can move backward." });
|
return Results.BadRequest(new { error = "Only admins can move backward." });
|
||||||
|
|||||||
10
TASKS.md
10
TASKS.md
@@ -1,10 +0,0 @@
|
|||||||
# TASKS - Review findings
|
|
||||||
|
|
||||||
- [x] **Critical - Unsigned auth cookie allows impersonation** (`Infrastructure/PlayerIdentityExtensions.cs`, `Endpoints/EndpointHelpers.cs`, `wwwroot/js/api.js`): The `player` cookie stores a raw GUID and is trusted on every request; `/api/suggestions/all` exposes other players' IDs, so a user can copy an ID, set the cookie, and become that account (including admins). Move to ASP.NET Core cookie auth with signed/encrypted tickets or a server-side session table, and avoid exposing player IDs where not necessary.
|
|
||||||
- [x] **Critical - Stored XSS via suggestion content/links** (`wwwroot/js/ui.js`, `wwwroot/index.html`, `Endpoints/SuggestEndpoints.cs`): Names, descriptions, and URLs are injected with `innerHTML` and unescaped links; `gameUrl`/`youtubeUrl` accept any scheme. A malicious suggestion can run script when viewed. Sanitize/escape on render (use `textContent`), validate URLs to http/https on the server, and consider HTML sanitization for descriptions.
|
|
||||||
- [x] **High - SSRF surface in screenshot validation** (`Endpoints/EndpointHelpers.IsReachableImageAsync`, `SuggestEndpoints.cs`): The server performs HEAD/GET requests to arbitrary user-provided URLs with minimal limits, enabling internal port probing and latency spikes. Restrict to allowlisted hosts or disable remote fetch; at minimum block private IPs/localhost, disallow redirects, and enforce tight size/time limits.
|
|
||||||
- [x] **High - Phase recalculation writes on every poll** (`Endpoints/EndpointHelpers.GetPhase`, `wwwroot/app.js`): `GetPhase` unconditionally calls `SaveChangesAsync`; the client polls `/api/state` every 4s, causing constant writes and SQLite WAL churn/locks even when nothing changes. Track a `changed` flag and persist only when state mutations occur; consider reducing poll frequency or using long polling/server push later.
|
|
||||||
- [x] **Medium - Admin key accepted via query string** (`Endpoints/EndpointHelpers.IsAdmin`): Accepting `key` in the query leaks secrets via logs and referrers. Require the `X-Admin-Key` header (or authenticated admin account) only, and rate-limit/monitor attempts.
|
|
||||||
- [x] **Medium - Brittle base path detection on the client** (`wwwroot/js/api.js`): The heuristic that picks the first path segment can double-prefix or break when the app is nested (e.g., `/picknplay/`). Prefer explicit `<meta name="app-base">` or `<base>` and drop the autodetect fallback.
|
|
||||||
- [ ] **Maintenance - Centralize auth/phase concerns** (multiple endpoints): Each endpoint manually fetches the player, admin status, and phase gating, repeating logic and increasing drift risk. Introduce endpoint filters/middleware to attach the current player and enforce phase/admin requirements declaratively.
|
|
||||||
- [x] **Maintenance - Clear invalid cookies** (`Infrastructure/PlayerIdentityExtensions.cs`): When a cookie references a deleted player, we keep reissuing it; endpoints respond 401 but the cookie persists. Clear the cookie if lookup fails to avoid client loops.
|
|
||||||
@@ -39,49 +39,15 @@ function Invoke-Json {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Write-Host "1) Health check"
|
Write-Host "Health check..."
|
||||||
Invoke-Json -Method GET -Path "/health" | Out-Host
|
Invoke-Json -Method GET -Path "/health" | Out-Host
|
||||||
|
|
||||||
Write-Host "`n2) Admin factory reset (clears players, suggestions, votes)"
|
Write-Host "`nAdmin factory reset (clears players, suggestions, votes)..."
|
||||||
Invoke-Json -Method POST -Path "/api/admin/factory-reset" -Headers @{ "X-Admin-Key" = $AdminKey } | Out-Host
|
Invoke-Json -Method POST -Path "/api/admin/factory-reset" -Headers @{ "X-Admin-Key" = $AdminKey } | Out-Host
|
||||||
|
|
||||||
Write-Host "`n3) Set player name"
|
# TODO
|
||||||
$me = Invoke-Json -Method POST -Path "/api/me/name" -Body @{ name = "SmokeTester" }
|
|
||||||
$me | Out-Host
|
|
||||||
|
|
||||||
Write-Host "`n4) Submit three suggestions"
|
Write-Host "`nAdmin factory reset (clears players, suggestions, votes)..."
|
||||||
$ids = @()
|
|
||||||
1..3 | ForEach-Object {
|
|
||||||
$resp = Invoke-Json -Method POST -Path "/api/suggestions" -Body @{
|
|
||||||
name = "Game $_"
|
|
||||||
genre = "Genre $_"
|
|
||||||
description = "Autogenerated suggestion $_"
|
|
||||||
}
|
|
||||||
$ids += $resp.id
|
|
||||||
$resp | Out-Host
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Host "`n4b) Delete the third suggestion (Suggest phase only)"
|
|
||||||
Invoke-Json -Method DELETE -Path "/api/suggestions/$($ids[2])" | Out-Host
|
|
||||||
$ids = $ids[0..1]
|
|
||||||
|
|
||||||
Write-Host "`n5) Reveal phase"
|
|
||||||
Invoke-Json -Method POST -Path "/api/admin/phase" -Headers @{ "X-Admin-Key" = $AdminKey } -Body @{ phase = "Reveal" } | Out-Host
|
|
||||||
Invoke-Json -Method GET -Path "/api/suggestions/all" | Out-Host
|
|
||||||
|
|
||||||
Write-Host "`n6) Vote phase"
|
|
||||||
Invoke-Json -Method POST -Path "/api/admin/phase" -Headers @{ "X-Admin-Key" = $AdminKey } -Body @{ phase = "Vote" } | Out-Host
|
|
||||||
Invoke-Json -Method POST -Path "/api/votes" -Body @{ suggestionId = $ids[0]; score = 10 } | Out-Host
|
|
||||||
Invoke-Json -Method POST -Path "/api/votes" -Body @{ suggestionId = $ids[1]; score = 7 } | Out-Host
|
|
||||||
if ($ids.Count -ge 3) {
|
|
||||||
Invoke-Json -Method POST -Path "/api/votes" -Body @{ suggestionId = $ids[2]; score = 5 } | Out-Host
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Host "`n7) Results phase"
|
|
||||||
Invoke-Json -Method POST -Path "/api/admin/phase" -Headers @{ "X-Admin-Key" = $AdminKey } -Body @{ phase = "Results" } | Out-Host
|
|
||||||
Invoke-Json -Method GET -Path "/api/results" | Out-Host
|
|
||||||
|
|
||||||
Write-Host "`n8) Admin factory reset (clears players, suggestions, votes)"
|
|
||||||
Invoke-Json -Method POST -Path "/api/admin/factory-reset" -Headers @{ "X-Admin-Key" = $AdminKey } | Out-Host
|
Invoke-Json -Method POST -Path "/api/admin/factory-reset" -Headers @{ "X-Admin-Key" = $AdminKey } | Out-Host
|
||||||
|
|
||||||
Write-Host "`nSmoke test completed."
|
Write-Host "`nSmoke test completed."
|
||||||
|
|||||||
Reference in New Issue
Block a user