Open
Conversation
#VERCEL_SKIP
Files now automatically pushed to GitHub after Publish to prevent loss.
Integrate Supabase auth, Pi Network payments, and GitHub publishing
Change background to beige, text to black, and add real-time online user count.
Integrate authentication, Pi Network payments, and chat UI updates
Update header to display clickable online user list and add dropdown panel for online users. Change username color in messages and reply preview from orange to red.
Enhance chat with authentication, Pi payments, and online user list
Introduce free donation option with preset amounts and custom input.
Add flexible donation amounts and custom input option
Revise donation page title and description for clarity.
Add custom donation amounts and update page content
… non-Pi browsers Create new policy pages and enhance login with username support.
Enhance donation options, legal documentation, and login compatibility
Add login support for non-Pi browsers
Add bilingual Terms of Service, guest login, and update login links.
Expand login options and add bilingual legal documentation
Remove guest access entirely from both login and API.
Restrict login to Pi Browser and add bilingual legal documentation
Create SQL scripts for 'access_logs', 'pi_users', and 'banned_users'. Fix payment API to save transactions in 'pi_payments'.
Fix SQL script and add media support to chat-room.
…xposes sensitive user activity data to unauthenticated requests
This commit fixes the issue reported at app/api/admin/access-logs/route.ts:4
## Bug Analysis
The `/api/admin/access-logs/route.ts` endpoint is a GET handler that returns sensitive user data including `pi_uid`, `username`, and `created_at` timestamps from the `access_logs` table. Unlike the similar admin endpoint at `/api/admin/ban/route.ts`, this endpoint had **no server-side authorization check**.
While the frontend page (`app/chat/accessi/page.tsx`) does check `isAdmin` from localStorage before displaying the UI, this is purely a client-side check. Anyone could directly call the API endpoint:
```
GET /api/admin/access-logs?date=2024-01-15
```
And receive all user access logs for that date, exposing:
- User Pi UIDs (unique identifiers)
- Usernames
- Access timestamps
This is a classic IDOR/broken access control vulnerability.
## Fix
I implemented the same authorization pattern used by `/api/admin/ban/route.ts`:
1. **API endpoint** (`app/api/admin/access-logs/route.ts`): Added authorization check at the start of the GET handler:
```typescript
const adminUsername = searchParams.get("adminUsername")
if (adminUsername !== "cipollas") return NextResponse.json({ error: "Non autorizzato" }, { status: 403 })
```
2. **Frontend** (`app/chat/accessi/page.tsx`): Updated to:
- Store the admin username from the session in state
- Pass the admin username as a query parameter when calling the API
- Only fetch logs when `adminUsername` is available
This ensures the API now requires the same authorization as the ban endpoint, and only the authorized admin user "cipollas" can access the logs.
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Co-authored-by: cipollas <diegogenerali2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.