Improve the handling of unauthenticated users

leepeuker / movary

Self hosted web app to track and rate your watched movies

MIT License

393 stars 14 forks source link

Improve the handling of unauthenticated users #517

Closed JVT038 closed 11 months ago

JVT038 commented 11 months ago

This PR automatically redirect user to the login page if they're not authenticated with a warning that they have to login before viewing the page.

Besides that, the user will be redirected back to the page they attempted to view if they log in.

JVT038 commented 11 months ago

BTW, currently the redirection target URL encoded and stored in the GET parameters. So it's like localhost/login?redirect={target url}.

In theory, anyone could just manually edit the target URL in the get parameter and be redirected to whatever they want. Is this dangerous, or should we check if the target url exists and stuff?

leepeuker commented 11 months ago

BTW, currently the redirection target URL encoded and stored in the GET parameters. So it's like localhost/login?redirect={target url}.

In theory, anyone could just manually edit the target URL in the get parameter and be redirected to whatever they want. Is this dangerous, or should we check if the target url exists and stuff?

we should make sure to only allow relative urls, I think than we are fine