From be0955bd29df990e6b2c1a7f044a8c578f3aafe2 Mon Sep 17 00:00:00 2001 From: Alistair Hey Date: Thu, 26 Mar 2020 09:21:38 +0000 Subject: [PATCH] Check cookie exists and subject on cookie before using We were checking if we had a cookie, but not then checking if it was not empty, and the subject was not empty before using it for redirecting to the user's dashboard (If they navigated to / or /dashboard) Tested by deploying new dashboard, deleting cookie, setting cookie to empty string etc. All returned no error (but did show 401 not authorized) Signed-off-by: Alistair Hey --- dashboard/of-cloud-dashboard/handler.js | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/dashboard/of-cloud-dashboard/handler.js b/dashboard/of-cloud-dashboard/handler.js index 2c26f0ffb..2876dcff7 100644 --- a/dashboard/of-cloud-dashboard/handler.js +++ b/dashboard/of-cloud-dashboard/handler.js @@ -101,14 +101,20 @@ module.exports = async (event, context) => { const isSignedIn = /openfaas_cloud_token=.*\s*/.test(event.headers.cookie); - console.log(path); - if (path === "/" && isSignedIn) { - headers["Location"] = "/dashboard/"+ decodedCookie["sub"]; + let statusCode = 404 + + // If we have a cookie, and it has a subject, then redirect to the subject's dashboard + if (decodedCookie && decodedCookie["sub"]) { + headers["Location"] = "/dashboard/"+ decodedCookie["sub"]; + statusCode = 307 + } + return context .headers(headers) - .status(307) - .succeed(); + .status(statusCode) + .succeed() + } let claims = get_all_claims(organizations, decodedCookie);