jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Return 403 if totp token is invalid

Browse Source 
the ui redirects to login screen otherwise
This commit is contained in:
Girish Ramakrishnan
2019-03-23 14:07:37 -07:00
parent 0190a92c26
commit ee76c2c06e
5 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/routes/apps.js
View File

@@ -60,7 +60,7 @@ function verifyOwnership(req, res, next) {
if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
if (error) return next(new HttpError(500, error));
if (app.ownerId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
if (app.ownerId !== req.user.id) return next(new HttpError(403, 'User is not owner'));
next();
});

2
src/routes/notifications.js
View File

@@ -20,7 +20,7 @@ function verifyOwnership(req, res, next) {
if (error && error.reason === NotificationsError.NOT_FOUND) return next(new HttpError(404, 'No such notification'));
if (error) return next(new HttpError(500, error));
if (result.userId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
if (result.userId !== req.user.id) return next(new HttpError(403, 'User is not owner'));
req.notification = result;

2
src/routes/profile.js
View File

@@ -89,7 +89,7 @@ function enableTwoFactorAuthentication(req, res, next) {
users.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) {
if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'User not found'));
if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(401, 'Invalid token'));
if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token'));
if (error && error.reason === UsersError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled'));
if (error) return next(new HttpError(500, error));

2
src/routes/users.js
View File

@@ -136,7 +136,7 @@ function verifyPassword(req, res, next) {
if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
users.verifyWithUsername(req.user.username, req.body.password, function (error) {
if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect')); // not 401 intentionally
if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect')); // not 401 intentionally since the UI redirects for 401
if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'No such user'));
if (error) return next(new HttpError(500, error));