From 7383b3f8f6c0debf4b63f49f0b4f6d94555c0e0e Mon Sep 17 00:00:00 2001 From: Paul Fitzpatrick Date: Thu, 23 May 2024 14:59:58 -0400 Subject: [PATCH] use boot-key query parameter, tighten url match, put randomness in suggestions --- app/client/ui/AdminPanel.ts | 5 +++-- app/common/BaseAPI.ts | 6 +++--- app/server/lib/FlexServer.ts | 2 +- test/nbrowser/AdminPanel.ts | 4 ++-- test/nbrowser/Boot.ts | 6 +++--- 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/app/client/ui/AdminPanel.ts b/app/client/ui/AdminPanel.ts index f13c5f37..48703444 100644 --- a/app/client/ui/AdminPanel.ts +++ b/app/client/ui/AdminPanel.ts @@ -98,14 +98,15 @@ export class AdminPanel extends Disposable { * which could include a legit adminstrator if auth is misconfigured. */ private _buildMainContentForOthers(owner: MultiHolder) { + const exampleKey = 'example-' + window.crypto.randomUUID(); return dom.create(AdminSection, t('Administrator Panel Unavailable'), [ dom('p', t(`You do not have access to the administrator panel. Please log in as an administrator.`)), dom( 'p', t(`Or, as a fallback, you can set: {{bootKey}} in the environment and visit: {{url}}`, { - bootKey: dom('pre', 'GRIST_BOOT_KEY=secret'), - url: dom('pre', `/admin?key=secret`) + bootKey: dom('pre', `GRIST_BOOT_KEY=${exampleKey}`), + url: dom('pre', `/admin?boot-key=${exampleKey}`) }), ), ]); diff --git a/app/common/BaseAPI.ts b/app/common/BaseAPI.ts index 0cdc9e38..09e1ae49 100644 --- a/app/common/BaseAPI.ts +++ b/app/common/BaseAPI.ts @@ -66,9 +66,9 @@ export class BaseAPI { // This is a fallback mechanism if auth is broken to access the // admin panel. // TODO: should this be more selective? - if (typeof window !== 'undefined' && window.location) { - const url = new URL(window.location.href); - const bootKey = url.searchParams.get('boot'); + if (typeof window !== 'undefined' && window.location && + window.location.pathname.endsWith('/admin')) { + const bootKey = new URLSearchParams(window.location.search).get('boot-key') if (bootKey) { this._headers['X-Boot-Key'] = bootKey; } diff --git a/app/server/lib/FlexServer.ts b/app/server/lib/FlexServer.ts index b2666ccf..5f787886 100644 --- a/app/server/lib/FlexServer.ts +++ b/app/server/lib/FlexServer.ts @@ -560,7 +560,7 @@ export class FlexServer implements GristServer { this.app.get('/boot(/(:bootKey/?)?)?$', async (req, res) => { // Doing a good redirect is actually pretty subtle and we might // get it wrong, so just say /boot got moved. - res.send('The /boot/key page is now /admin?boot=key'); + res.send('The /boot/KEY page is now /admin?boot-key=KEY'); }); } diff --git a/test/nbrowser/AdminPanel.ts b/test/nbrowser/AdminPanel.ts index 72ca0909..d93de13c 100644 --- a/test/nbrowser/AdminPanel.ts +++ b/test/nbrowser/AdminPanel.ts @@ -349,11 +349,11 @@ describe('AdminPanel', function() { process.env.GRIST_BOOT_KEY = 'zig'; await server.restart(true); - await driver.get(`${server.getHost()}/admin?boot=zig`); + await driver.get(`${server.getHost()}/admin?boot-key=zig`); await waitForAdminPanel(); assert.equal(await driver.find('.test-admin-panel').isDisplayed(), true); assert.notMatch(await driver.find('.test-admin-panel').getText(), /Administrator Panel Unavailable/); - await driver.get(`${server.getHost()}/admin?boot=zig-wrong`); + await driver.get(`${server.getHost()}/admin?boot-key=zig-wrong`); await waitForAdminPanel(); assert.equal(await driver.find('.test-admin-panel').isDisplayed(), true); assert.match(await driver.find('.test-admin-panel').getText(), /Administrator Panel Unavailable/); diff --git a/test/nbrowser/Boot.ts b/test/nbrowser/Boot.ts index ec86585b..1a8f043c 100644 --- a/test/nbrowser/Boot.ts +++ b/test/nbrowser/Boot.ts @@ -20,7 +20,7 @@ describe('Boot', function() { await gu.waitToPass(async () => { assert.include( await driver.findContentWait('pre', /GRIST_BOOT_KEY/, 2000).getText(), - 'GRIST_BOOT_KEY=secret'); + 'GRIST_BOOT_KEY=example-'); }, 3000); } @@ -55,12 +55,12 @@ describe('Boot', function() { }); it('gives prompt when key is wrong', async function() { - await driver.get(`${server.getHost()}/admin?boot=bilbo`); + await driver.get(`${server.getHost()}/admin?boot-key=bilbo`); await hasPrompt(); }); it('gives page when key is right', async function() { - await driver.get(`${server.getHost()}/admin?boot=lala`); + await driver.get(`${server.getHost()}/admin?boot-key=lala`); await driver.findContentWait('div', /Is home page available/, 2000); }); });