Give me a sec
Where do you use loadSession besides logout?
func login(email: String, password: String) async throws -> [String: Any] {
if let savedSession = loadSession() {
And on the login page
.onAppear {
if let session = authenticationNode.shared.loadSession() {
if let _ = session["userId"] as? String {
isUserLoggedIn = true
}
}
}
You are not authenticating the user anywhere. It appears you only check whether you haved stored a session object in the keychain
AFAIK the apple sdk should also automatically persist the session for you
What do you mean by this? And how does this end up authenticating the image upload?
It doesnt, when I swiped up the app and re-launched it, I had to login again
Can you call the Accounts.get() endpoint after relaunching your app
What permission did you set for that bucket?
and I also enabled file level permissions
👍 ok one second
should I remove all the keychain shenanigans then put that?
You have to be authenticated in order to upload in your case
So you are definitely authenticated.
Yeah sure. Makes debugging easier
Yes I know, but the thing is, if someone logins in with account A they can snoop the network requests, and send a request with their authentication but giving everyone file permissions to see their file. So user B will be able to see it too.
That's what I'm scared of.
Can you elaborate your concerns a little bit further? Not sure if I can follow
Alright one sec
What possible attack scenario are you trying to prevent?
Let's say Bob has logged into my app. Bob uploads an image but inspects the network logs. Bob now has the network request to upload an image to my bucket. The network request Bob has uploaded has all these parameters:
bucketId: "66cc7031002044095926",
fileId: "unique()",
file: InputFile.fromData(data, filename: filename, mimeType: "image/jpeg"),
permissions: [
"user:\(userId).read",
"user:\(userId).write"
]
Bob notices the 'permissions' parameter. Bob decides to cange it from user:userid.read to Role.any.
John decides to log into the app. John sees all of his uploads but then spots an upload that isn't his. This upload is the image that Bob sent with the Role.any permission.
Recommended threads
- Best approach to an app
hi im building an app that will be used within multiple different companies to store non-sensitive informations such as timings. would the best approach be to c...
- iOS Search Query not working as expected
The search query is not working as expected. When I search for part of a username in my code, it doesn't return documents unless I include the first part of the...
- iOS Build Error on update to 7.0.0
Just updated to version 7.0.0. Doesn't even compile. Cannot convert value of type 'String??' to expected argument type 'String?' Both existing and brand new p...