From e99c5ea67fd515f0cc1329eb2a5fc98128fa4c32 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Tue, 6 Dec 2022 08:30:47 -0600 Subject: [PATCH 1/3] Issue 217: Weaver authentication is making unsafe assumptions on the data and failing out incorrectly. When an error occurs either a valid error payload is returned or something else is returned. Do not be opinionated about errors payloads here because the fetchUser should not care at this time. Preserve the original user role and if it is not defined then set the role to ROLE_ANONYMOUS. Only when the payload has a valid Credentials structure should the session role be deleted and the credentials object be modified. Having a token when the payload is invalid or the role is anonymous results in an error message getting stuck. Delete the token in the case that the role is anonymous. After all, the anonymous user should not have a token. Continue to perform the completion steps needed to resolve the fetchUser request regardless of the payload structure. --- app/services/userService.js | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/app/services/userService.js b/app/services/userService.js index 8c92dc50..0a2e26e2 100644 --- a/app/services/userService.js +++ b/app/services/userService.js @@ -10,10 +10,24 @@ core.service("UserService", function ($q, StorageService, User, WsApi) { UserService.fetchUser = function () { userEvents.notify('FETCH'); + return WsApi.fetch(currentUser.getMapping().instantiate).then(function (res) { - delete sessionStorage.role; - var credentials = angular.fromJson(res.body).payload.Credentials; - currentUser.anonymous = credentials.role === appConfig.anonymousRole ? true : false; + var body = !res.body ? {} : angular.fromJson(res.body); + var credentials = { role: !currentUser.role ? "ROLE_ANONYMOUS" : currentUser.role }; + + // Only change credentials when packet structure is valid. + if (!!body.payload && !!body.payload.Credentials) { + delete sessionStorage.role; + credentials = angular.fromJson(res.body).payload.Credentials; + } + + currentUser.anonymous = !credentials.role || credentials.role === appConfig.anonymousRole ? true : false; + + // Cannot have a token for the anonymous role. + if (currentUser.anonymous) { + StorageService.delete("token"); + } + angular.extend(currentUser, credentials); StorageService.set("role", currentUser.role); userEvents.notify('RECEIVED'); From 25c2e7f9078ad0e48cb058a2683ec913a81cf9b3 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Tue, 6 Dec 2022 08:44:03 -0600 Subject: [PATCH 2/3] Issue 217: also use appConfig.anonymousRole rather than hard-coded 'ROLE_ANONYMOUS'. --- app/services/userService.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/services/userService.js b/app/services/userService.js index 0a2e26e2..6b814573 100644 --- a/app/services/userService.js +++ b/app/services/userService.js @@ -13,7 +13,7 @@ core.service("UserService", function ($q, StorageService, User, WsApi) { return WsApi.fetch(currentUser.getMapping().instantiate).then(function (res) { var body = !res.body ? {} : angular.fromJson(res.body); - var credentials = { role: !currentUser.role ? "ROLE_ANONYMOUS" : currentUser.role }; + var credentials = { role: !currentUser.role ? appConfig.anonymousRole : currentUser.role }; // Only change credentials when packet structure is valid. if (!!body.payload && !!body.payload.Credentials) { From 2a1bbd91907d90494a324a208df9da404297a866 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Tue, 6 Dec 2022 10:22:55 -0600 Subject: [PATCH 3/3] Issue 217: Swap and adjust the boolean logic to be more JS-safe. Reverse the bitwise not operations through a double negative. Add additional checks extra checks. There is also a ternary being used in the original code that is pointless. The logic is effectively: ``` true ?? true : false ``` Get rid of this pointless ternary. --- app/services/userService.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/services/userService.js b/app/services/userService.js index 6b814573..e2c3bf78 100644 --- a/app/services/userService.js +++ b/app/services/userService.js @@ -12,16 +12,16 @@ core.service("UserService", function ($q, StorageService, User, WsApi) { userEvents.notify('FETCH'); return WsApi.fetch(currentUser.getMapping().instantiate).then(function (res) { - var body = !res.body ? {} : angular.fromJson(res.body); - var credentials = { role: !currentUser.role ? appConfig.anonymousRole : currentUser.role }; + var body = !!res && !!res.body ? angular.fromJson(res.body) : {}; + var credentials = { role: !!currentUser.role ? currentUser.role : appConfig.anonymousRole }; // Only change credentials when packet structure is valid. - if (!!body.payload && !!body.payload.Credentials) { + if (!!body && !!body.payload && !!body.payload.Credentials) { delete sessionStorage.role; credentials = angular.fromJson(res.body).payload.Credentials; } - currentUser.anonymous = !credentials.role || credentials.role === appConfig.anonymousRole ? true : false; + currentUser.anonymous = !credentials.role || credentials.role === appConfig.anonymousRole; // Cannot have a token for the anonymous role. if (currentUser.anonymous) {