JOHN PSINA
All Nuxt3 routes are displayed in production (Security vulnerability)
I solved my problem like this:
if (isUserAdmin && isAdminLoginPage) {
return navigateTo(
/${ADMIN_URL}/, {
redirectCode: 302,
open: {
{ target: '_self'
}
});
}
Now the redirect occurs with a page reload, and the checks are triggered on the server side, not the client24 replies
All Nuxt3 routes are displayed in production (Security vulnerability)
Thank you very much for your advice. I have just been able to enter the administrative interface of the site through an anonymous tab by simply replacing the variable in the debugger 😲.
It turned out like this: a check was performed on the server side, which, when a user tries to log in to the admin without permissions, redirects to the admin login page. And on the login page of the admin panel, there is a check that if the user is authorized, he will be redirected to the main page of the admin panel. As a result, the server side redirects to the login through a 302 redirect, on the login page the server side sees that the person is not authorized, so it allows him to the login page, but on the client side the same middleware (when replacing the variable through the debugger) thinks that the person has permissions and redirects to the main admin page, but since it's a client, the redirect happens not through a 302, but through a regular content substitution by the script, which leads to the possibility of replacing the variable again, avoiding server-side validation.
Sorry to bother you again. Could you please tell me if it is possible to make a 302 redirect on the client side so that the page to which the redirect occurs is processed on the server side?
24 replies
All Nuxt3 routes are displayed in production (Security vulnerability)
I also have a global middleware that sends a query to the database whenever the site is navigated, getting information about the user from the backend, and the above check is performed in the middleware immediately afterwards.
I'm sorry to bother you, but I wanted to ask if you think this will be enough for security?
24 replies
All Nuxt3 routes are displayed in production (Security vulnerability)
In general, I have a global middleware that checks if the link starts with “admin” and checks authorization and permissions before letting a person access the page and redirects to the login page otherwise (a little more complicated than I described, but you get the idea), but I still think that the less information a potential hacker has, the less likely it is that the site will be hacked
24 replies