Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

make the example key on admin panel without auth work when insecure ()

Browse Source 
The example key shown on the admin panel to users who are not known to be
administrators is generated using a method that is only available in secure
environments. This adds a fallback for insecure environments. The key is less
solid but again, it is just an example, and for an insecure environment.

Tested manually running locally and using a hostname set in /etc/hosts.
This commit is contained in:
Paul Fitzpatrick 2024-06-12 09:34:31 -04:00 committed by GitHub
parent e6e09e8645
commit 856dbef3df
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 1 deletions

18
app/client/ui/AdminPanel.ts
View File

@ -98,7 +98,7 @@ export class AdminPanel extends Disposable {
* which could include a legit adminstrator if auth is misconfigured.
*/
private _buildMainContentForOthers(owner: MultiHolder) {
const exampleKey = 'example-' + window.crypto.randomUUID();
const exampleKey = _longCodeForExample();
return dom.create(AdminSection, t('Administrator Panel Unavailable'), [
dom('p', t(`You do not have access to the administrator panel.
Please log in as an administrator.`)),
@ -649,3 +649,19 @@ export const cssLabel = styled('div', `
text-align: right;
padding-right: 5px;
`);
/**
* Make a long code to use in the example, so that if people copy
* and paste it lazily, they end up decently secure, or at least a
* lot more secure than a key like "REPLACE_WITH_YOUR_SECRET"
*/
function _longCodeForExample() {
// Crypto in insecure contexts doesn't have randomUUID
if (window.isSecureContext) {
return 'example-a' + window.crypto.randomUUID();
}
return 'example-b' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.replace(/x/g, () => {
return Math.floor(Math.random() * 16).toString(16);
});
}