Authentication can (prolly) be bypassed
As I stated here: socrates-server!20 (comment 64800582), we might have a problem in the current implementation of the authentication.
By default urls are case-insensitive. Therefore /management
and /Management
address the same resource. Our auth middleware checks for /management
to find out if admin rights are required. This will not match /Management
. Therfore, it might be possible to access the management area with admin rights. Same is true for the user area.
Some research:
-
https://stackoverflow.com/questions/21216523/nodejs-express-case-sensitive-urls (by default, urls are not case sensitive (i.e.
/Management
and/management
are treated the same) - https://github.com/iZettle/express-lowercase-paths (a middleware, that turns all urls to lowercase)
Possible fixes:
- use the middleware that converts all urls to lower-case
- convert urls to lower-case in the authentication method
Edited by Tobias Mende