Skip to content

Fix authorization middleware #344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Hell1213 wants to merge 4 commits into from
Closed

Fix authorization middleware #344

Hell1213 wants to merge 4 commits into from

Conversation

@Hell1213
Copy link
Contributor

@Hell1213 Hell1213 commented Dec 29, 2025

Fixed critical security vulnerability where task endpoints accepted user credentials directly from requests without validating authenticated sessions, allowing unauthorized access to any user's tasks.

Fixes: #338

Changes Made
Added authentication middleware to validate user sessions
Created credential validation helpers to verify request params match session
Updated all 8 task endpoints to use session-based authentication
Integrated middleware protection for all task operations

Checklist

  • Ran npx prettier --write . (for formatting)
  • Ran gofmt -w . (for Go backend)
  • Ran npm test (for JS/TS testing)
  • Added unit tests, if applicable
  • Verified all tests pass
  • Updated documentation, if needed

Additional Notes

All task endpoints now require valid session before processing. Request credentials are validated against session data. Returns 401 for missing session, 403 for credential mismatch. Backward compatible with existing frontend.

@github-actions
Copy link

github-actions bot commented Dec 29, 2025

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

  • Check the "Files changed" tab
  • Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
  • Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
  • Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
backend/middleware/auth.go
Copy link
Contributor Author

@Hell1213 Hell1213 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added session validation middleware

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
backend/middleware/auth_test.go
Copy link
Contributor Author

@Hell1213 Hell1213 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added tests for middleware validation

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
backend/controllers/auth_helpers.go
Copy link
Contributor Author

@Hell1213 Hell1213 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

implemented creds validation helpers

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
backend/controllers/auth_helpers_test.go
Copy link
Contributor Author

@Hell1213 Hell1213 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added tests for helper functions

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
backend/controllers/complete_task.go
Copy link
Contributor Author

@Hell1213 Hell1213 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using session creds for bulk operations

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
backend/main.go
Copy link
Contributor Author

@Hell1213 Hell1213 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrapped all task endpoints with auth middleware

Hell1213
Hell1213 commented Dec 29, 2025
View reviewed changes
Copy link
Contributor Author

@Hell1213 Hell1213 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

backend/controllers/get_tasks.go - Use session credentials instead of request params
backend/controllers/add_task.go - Use session credentials instead of request params
backend/controllers/edit_task.go - Use session credentials instead of request params
backend/controllers/modify_task.go - Use session credentials instead of request params
backend/controllers/complete_task.go - Use session credentials instead of request params
backend/controllers/delete_task.go - Use session credentials instead of request params

backend/controllers/delete_tasks.go - Use session credentials for bulk operations

@Hell1213
Copy link
Contributor Author

Hell1213 commented Dec 29, 2025

hey @its-me-abhishek PR ready for review, fixed: Session-based authorization for task endpoints.
please let me know if any changes needed !

@its-me-abhishek its-me-abhishek added the invalid This doesn't seem right label Dec 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

invalid This doesn't seem right

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Task endpoints missing session validation - users can access any user's data

2 participants

@Hell1213 @its-me-abhishek