search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
32.54k stars 3.53k forks source link

[Bug]: Git user config page can be accessed without user signed in #34603

Open riteshkew opened 3 weeks ago

riteshkew commented 3 weeks ago

Is there an existing issue for this?

Description

When we go to app.appsmith.com/profile, the pages can be accessed without the user logging in. Ideally it should be redirected to login page.

Steps To Reproduce

  1. Open incognito window
  2. Open app.appsmith.com/profile
  3. Go to Git user config
  4. After sometime it redirects to login page.
  5. Go back using browser control and it shows up the form for Git user config. In a throttled environment, page is accessible.

Public Sample App

No response

Environment

Production

Severity

High (Blocker to building or releasing)

Issue video log

No response

Version

Cloud - 1.29

SunnyTitus commented 3 weeks ago

Hi @riteshkew , @Nikhil-Nandagopal

Please find the possible solution through my findings:

"To secure the Git user config page, we need to implement route protection on the frontend using a higher-order component to check for user authentication and redirect unauthenticated users to the login page. On the backend, we will use Spring Security to ensure that only authenticated users can access the /profile endpoint. This solution ensures that sensitive configuration settings are protected from unauthorized access."

Our team will be working on this issue and update accordingly.

Shivam-z commented 2 weeks ago

@SunnyTitus @Nikhil-Nandagopal I am picking up this issue.

Approach: In the profile page there is a tab with two tablist:

Observation: User - > unauthorized When the user is in the profile page with the general tab selected by default , it is showing the general tab and also not redirecting to the sign in page.

When we click on the git config tab , it redirects us to the sign in page.

Possible Reason: when git config page mounts it calls this protected endpoint: https://dev.appsmith.com/api/v1/git/profile/default which is missing when general tab mounts.

Screenshot from 2024-07-10 10-00-43

Solving Approach: We can call this protected endpoint when the general tab page also mounts to protect this page from unauthorized users.

brayn003 commented 2 weeks ago

Hi @Shivam-z, thank you for showing an interest in solving this issue. Please go ahead and raise a PR, I will help you with review and testing once it is done.

Shivam-z commented 2 weeks ago

Hi @brayn003 , I have raised a PR for this issue. Can you take a look at it? Thank you.