Skip to content

Check that the user exist for endpoints requiring authenticated users #230

Closed
#234
Closed
Check that the user exist for endpoints requiring authenticated users#230
#234
Labels
BugIncorrect Behavior
@josecelano

Description

@josecelano
josecelano
opened on Jun 28, 2023

Endpoints only check that the JWT token is valid and contains a user ID.

There is a function to get the user id from the Json Web Token:

pub async fn get_user_id_from_bearer_token(&self, maybe_token: &Option<BearerToken>) -> Result<UserId, ServiceError> {
    let claims = self.get_claims_from_bearer_token(maybe_token).await?;
    Ok(claims.user.user_id)
}

It only gets the user id from the token but does not check that the user exists.

That could lead to some bugs. For example, suppose a user has an open session with a valid token, and an admin removes him/her from the system (which is not possible now. It can only be done manually in the database). In that case, the handlers requiring authenticated users will continue working.

For example, in the upload_torrent_handler, it will continue because it only needs the user id. The database query to insert the new torrent will fail because of a foreign key constraint (the user does not exist in the user's table).

pub async fn upload_torrent_handler(
    State(app_data): State<Arc<AppData>>,
    Extract(maybe_bearer_token): Extract,
    multipart: Multipart,
) -> Response {
    let user_id = match app_data.auth.get_user_id_from_bearer_token(&maybe_bearer_token).await {
        Ok(user_id) => user_id,
        Err(error) => return error.into_response(),
    };

    // user_id is valid but the ser does not exist!!!

    let torrent_request = match get_torrent_request_from_payload(multipart).await {
        Ok(torrent_request) => torrent_request,
        Err(error) => return error.into_response(),
    };

    let info_hash = torrent_request.torrent.info_hash().clone();

    match app_data.torrent_service.add_torrent(torrent_request, user_id).await {
        Ok(torrent_id) => new_torrent_response(torrent_id, &info_hash).into_response(),
        Err(error) => error.into_response(),
    }
}

How to reproduce

  1. Start the app
  2. Register a new user
  3. Login
  4. Go to upload torrent form
  5. Delete the user from the database
  6. Submit the upload new torrent form

Solution

The function get_user_id_from_bearer_token:

let user_id = match app_data.auth.get_user_id_from_bearer_token(&maybe_bearer_token).await {
    Ok(user_id) => user_id,
    Err(error) => return error.into_response(),
};

should check that the user exist and return a "user not found" error if the user does not exist.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugIncorrect Behavior

    Type

    No type

    Projects

    Torrust Solution

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions