From 856dbef3df9afb5ca985de7da93de11e4e10d3ca Mon Sep 17 00:00:00 2001 From: Paul Fitzpatrick Date: Wed, 12 Jun 2024 09:34:31 -0400 Subject: [PATCH] make the example key on admin panel without auth work when insecure (#1024) The example key shown on the admin panel to users who are not known to be administrators is generated using a method that is only available in secure environments. This adds a fallback for insecure environments. The key is less solid but again, it is just an example, and for an insecure environment. Tested manually running locally and using a hostname set in /etc/hosts. --- app/client/ui/AdminPanel.ts | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/app/client/ui/AdminPanel.ts b/app/client/ui/AdminPanel.ts index 37d4f4e2..bfd2bd6c 100644 --- a/app/client/ui/AdminPanel.ts +++ b/app/client/ui/AdminPanel.ts @@ -98,7 +98,7 @@ export class AdminPanel extends Disposable { * which could include a legit adminstrator if auth is misconfigured. */ private _buildMainContentForOthers(owner: MultiHolder) { - const exampleKey = 'example-' + window.crypto.randomUUID(); + const exampleKey = _longCodeForExample(); return dom.create(AdminSection, t('Administrator Panel Unavailable'), [ dom('p', t(`You do not have access to the administrator panel. Please log in as an administrator.`)), @@ -649,3 +649,19 @@ export const cssLabel = styled('div', ` text-align: right; padding-right: 5px; `); + + +/** + * Make a long code to use in the example, so that if people copy + * and paste it lazily, they end up decently secure, or at least a + * lot more secure than a key like "REPLACE_WITH_YOUR_SECRET" + */ +function _longCodeForExample() { + // Crypto in insecure contexts doesn't have randomUUID + if (window.isSecureContext) { + return 'example-a' + window.crypto.randomUUID(); + } + return 'example-b' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.replace(/x/g, () => { + return Math.floor(Math.random() * 16).toString(16); + }); +}