mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
make the example key on admin panel without auth work when insecure (#1024)
The example key shown on the admin panel to users who are not known to be administrators is generated using a method that is only available in secure environments. This adds a fallback for insecure environments. The key is less solid but again, it is just an example, and for an insecure environment. Tested manually running locally and using a hostname set in /etc/hosts.
This commit is contained in:
parent
e6e09e8645
commit
856dbef3df
@ -98,7 +98,7 @@ export class AdminPanel extends Disposable {
|
||||
* which could include a legit adminstrator if auth is misconfigured.
|
||||
*/
|
||||
private _buildMainContentForOthers(owner: MultiHolder) {
|
||||
const exampleKey = 'example-' + window.crypto.randomUUID();
|
||||
const exampleKey = _longCodeForExample();
|
||||
return dom.create(AdminSection, t('Administrator Panel Unavailable'), [
|
||||
dom('p', t(`You do not have access to the administrator panel.
|
||||
Please log in as an administrator.`)),
|
||||
@ -649,3 +649,19 @@ export const cssLabel = styled('div', `
|
||||
text-align: right;
|
||||
padding-right: 5px;
|
||||
`);
|
||||
|
||||
|
||||
/**
|
||||
* Make a long code to use in the example, so that if people copy
|
||||
* and paste it lazily, they end up decently secure, or at least a
|
||||
* lot more secure than a key like "REPLACE_WITH_YOUR_SECRET"
|
||||
*/
|
||||
function _longCodeForExample() {
|
||||
// Crypto in insecure contexts doesn't have randomUUID
|
||||
if (window.isSecureContext) {
|
||||
return 'example-a' + window.crypto.randomUUID();
|
||||
}
|
||||
return 'example-b' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.replace(/x/g, () => {
|
||||
return Math.floor(Math.random() * 16).toString(16);
|
||||
});
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user