fix(security): replace getQuery with frontend equivalent

2024-05-20 04:32:37 +12:00 · 2021-08-31 16:05:43 +02:00 · 2021-08-31 16:05:43 +02:00 · c729972325
parent 4267221970
commit c729972325
2 changed files with 9 additions and 17 deletions
--- a/app/controllers/web/home.php
+++ b/app/controllers/web/home.php
@ -201,22 +201,11 @@ App::get('/auth/magic-url')
    ->groups(['web', 'home'])
    ->label('permission', 'public')
    ->label('scope', 'home')
-    ->inject('request')
-    // ->inject('response')
    ->inject('layout')
-    ->action(function ($request, $layout) {
-        /** @var Utopia\Swoole\Request $request */
-        /** @var Utopia\Swoole\Response $response */
+    ->action(function ($layout) {
+        /** @var Utopia\View $layout */

        $page = new View(__DIR__.'/../../views/home/auth/magicURL.phtml');
-        
-        $userId = $request->getQuery('userId');
-        $secret = $request->getQuery('secret');
-        $project = $request->getQuery('project');
-        $page
-            ->setParam('userId', $userId)
-            ->setParam('secret', $secret)
-            ->setParam('project', $project);

        $layout
            ->setParam('title', APP_NAME)
--- a/app/views/home/auth/magicURL.phtml
+++ b/app/views/home/auth/magicURL.phtml
@ -10,11 +10,14 @@
        document.getElementById('message').style.display = 'block';
    }, 25);

-    <?php echo "const userId = '" . $this->getParam('userId') . "';"; ?>
-    <?php echo "const secret = '" . $this->getParam('secret') . "';"; ?>
-    <?php echo "const project = '" . $this->getParam('project') . "';"; ?>
+    const urlSearchParams = new URLSearchParams(window.location.search);
+    const {
+        userId,
+        secret,
+        project
+    } = Object.fromEntries(urlSearchParams.entries());

-const formData = new FormData();
+    const formData = new FormData();
    formData.append('userId', userId);
    formData.append('secret', secret);