Upload based on authentication

TL;DR

Developers are discussing potential security risks with uploads based on user authentication. Bob uploads an image and changes permissions to Role.any, allowing John to see it. Developers need to ensure users can only upload files they should see. The code for uploading images contains permissions based on the userid. The issue may stem from lack of proper authentication checks before uploading.

Give me a sec

Where do you use loadSession besides logout?

TypeScript

func login(email: String, password: String) async throws -> [String: Any] {
        if let savedSession = loadSession() {

And on the login page

TypeScript

        .onAppear {
            if let session = authenticationNode.shared.loadSession() {
                if let _ = session["userId"] as? String {
                    isUserLoggedIn = true
                }
            }
        }

You are not authenticating the user anywhere. It appears you only check whether you haved stored a session object in the keychain

AFAIK the apple sdk should also automatically persist the session for you

What do you mean by this? And how does this end up authenticating the image upload?

It doesnt, when I swiped up the app and re-launched it, I had to login again

Can you call the Accounts.get() endpoint after relaunching your app

What permission did you set for that bucket?

and I also enabled file level permissions

👍 ok one second

should I remove all the keychain shenanigans then put that?

You have to be authenticated in order to upload in your case

So you are definitely authenticated.

Yeah sure. Makes debugging easier

Yes I know, but the thing is, if someone logins in with account A they can snoop the network requests, and send a request with their authentication but giving everyone file permissions to see their file. So user B will be able to see it too.

That's what I'm scared of.

Can you elaborate your concerns a little bit further? Not sure if I can follow

Alright one sec

What possible attack scenario are you trying to prevent?

Let's say Bob has logged into my app. Bob uploads an image but inspects the network logs. Bob now has the network request to upload an image to my bucket. The network request Bob has uploaded has all these parameters:

TypeScript

                bucketId: "66cc7031002044095926",
                fileId: "unique()",
                file: InputFile.fromData(data, filename: filename, mimeType: "image/jpeg"),
                permissions: [
                    "user:\(userId).read",
                    "user:\(userId).write"
                ]

Bob notices the 'permissions' parameter. Bob decides to cange it from user:userid.read to Role.any.

John decides to log into the app. John sees all of his uploads but then spots an upload that isn't his. This upload is the image that Bob sent with the Role.any permission.

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support