Skip to content

Commit 5bbf463

Browse files
authored
build: Release (#3211)
2 parents 9f4bdf1 + cf8f69e commit 5bbf463

30 files changed

+2304
-1811
lines changed

.github/pull_request_template.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,7 @@
44
- Any contribution is under this [license](https://github.com/parse-community/parse-dashboard/blob/alpha/LICENSE).
55

66
## Issue
7-
<!-- Add the link to the issue that this PR closes. -->
8-
9-
Closes: FILL_THIS_OUT
7+
<!-- Describe or link the issue that this PR closes. -->
108

119
## Approach
1210
<!-- Describe the changes in this PR. -->

Parse-Dashboard/Authentication.js

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,14 @@
11
'use strict';
22
const bcrypt = require('bcryptjs');
3-
const csrf = require('csurf');
3+
const { csrfSync } = require('csrf-sync');
44
const passport = require('passport');
55
const LocalStrategy = require('passport-local').Strategy;
66
const OTPAuth = require('otpauth')
77

8+
const { csrfSynchronisedProtection } = csrfSync({
9+
getTokenFromRequest: (req) => req.body._csrf || req.headers['x-csrf-token'],
10+
});
11+
812
/**
913
* Constructor for Authentication class
1014
*
@@ -27,7 +31,7 @@ function initialize(app, options) {
2731
const match = self.authenticate({
2832
name: username,
2933
pass: password,
30-
otpCode: req.body.otpCode
34+
otpCode: req.body?.otpCode
3135
});
3236
if (!match.matchingUsername) {
3337
return cb(null, false, { message: JSON.stringify({ text: 'Invalid username or password' }) });
@@ -81,11 +85,11 @@ function initialize(app, options) {
8185
app.use(passport.session());
8286

8387
app.post('/login',
84-
csrf(),
88+
csrfSynchronisedProtection,
8589
(req,res,next) => {
8690
let redirect = 'apps';
8791
let originalRedirect = null;
88-
if (req.body.redirect) {
92+
if (req.body?.redirect) {
8993
originalRedirect = req.body.redirect;
9094
// Validate redirect to prevent open redirect vulnerability
9195
if (originalRedirect.includes('://') || originalRedirect.startsWith('//')) {
@@ -176,5 +180,6 @@ function authenticate(userToTest, usernameOnly) {
176180

177181
Authentication.prototype.initialize = initialize;
178182
Authentication.prototype.authenticate = authenticate;
183+
Authentication.csrfProtection = csrfSynchronisedProtection;
179184

180185
module.exports = Authentication;

Parse-Dashboard/app.js

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@
22

33
const express = require('express');
44
const path = require('path');
5-
const csrf = require('csurf');
65
const Authentication = require('./Authentication.js');
76
const fs = require('fs');
87
const ConfigKeyCache = require('./configKeyCache.js');
@@ -201,7 +200,7 @@ module.exports = function(config, options) {
201200
// Agent API endpoint for handling AI requests - scoped to specific app
202201
app.post('/apps/:appId/agent', async (req, res) => {
203202
try {
204-
const { message, modelName, conversationId, permissions } = req.body;
203+
const { message, modelName, conversationId, permissions } = req.body || {};
205204
const { appId } = req.params;
206205

207206
if (!message || typeof message !== 'string' || message.trim() === '') {
@@ -1065,7 +1064,7 @@ You have direct access to the Parse database through function calls, so you can
10651064
}
10661065
}
10671066

1068-
app.get('/login', csrf(), function(req, res) {
1067+
app.get('/login', Authentication.csrfProtection, function(req, res) {
10691068
let redirectURL = null;
10701069
try {
10711070
const url = new URL(req.url, 'http://localhost');
@@ -1116,7 +1115,7 @@ You have direct access to the Parse database through function calls, so you can
11161115
});
11171116

11181117
// For every other request, go to index.html. Let client-side handle the rest.
1119-
app.get('/*', function(req, res) {
1118+
app.get('{*splat}', function(req, res) {
11201119
if (users && (!req.user || !req.user.isAuthenticated)) {
11211120
const redirect = req.url.replace('/login', '');
11221121
if (redirect.length > 1) {

0 commit comments

Comments
 (0)