Check cookie exists and subject on cookie before using

We were checking if we had a cookie, but not then checking if it was not empty, and the subject was not empty before using it for redirecting to the user's dashboard (If they navigated to / or /dashboard) Tested by deploying new dashboard, deleting cookie, setting cookie to empty string etc. All returned no error (but did show 401 not authorized) Signed-off-by: Alistair Hey <[email protected]>
openfaas · May 11, 2020 · be0955b · be0955b
1 parent 86de83c
commit be0955b
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/dashboard/of-cloud-dashboard/handler.js b/dashboard/of-cloud-dashboard/handler.js
@@ -101,14 +101,20 @@ module.exports = async (event, context) => {
 
     const isSignedIn = /openfaas_cloud_token=.*\s*/.test(event.headers.cookie);
 
-    console.log(path);
-
     if (path === "/" && isSignedIn) {
-      headers["Location"] =   "/dashboard/"+ decodedCookie["sub"];
+      let statusCode = 404
+
+      // If we have a cookie, and it has a subject, then redirect to the subject's dashboard
+      if (decodedCookie && decodedCookie["sub"]) {
+        headers["Location"] =   "/dashboard/"+ decodedCookie["sub"];
+        statusCode = 307
+      }
+
       return context
           .headers(headers)
-          .status(307)
-          .succeed();
+          .status(statusCode)
+          .succeed()
+
     }
 
     let claims = get_all_claims(organizations, decodedCookie);