Skip to content
Start building
Back

Upload based on authentication

  • 1
  • Apple
View on Discord
WhMonkey
27 Aug, 2024, 14:43

https://pastebin.com/eKm06rbE

TL;DR
Developers are discussing potential security risks with uploads based on user authentication. Bob uploads an image and changes permissions to Role.any, allowing John to see it. Developers need to ensure users can only upload files they should see. The code for uploading images contains permissions based on the userid. The issue may stem from lack of proper authentication checks before uploading.
Joshi
27 Aug, 2024, 14:45

Give me a sec

Joshi
27 Aug, 2024, 14:45

Where do you use loadSession besides logout?

WhMonkey
27 Aug, 2024, 14:47
TypeScript
func login(email: String, password: String) async throws -> [String: Any] {
        if let savedSession = loadSession() {
WhMonkey
27 Aug, 2024, 14:47

And on the login page

WhMonkey
27 Aug, 2024, 14:47
TypeScript
        .onAppear {
            if let session = authenticationNode.shared.loadSession() {
                if let _ = session["userId"] as? String {
                    isUserLoggedIn = true
                }
            }
        }
Joshi
27 Aug, 2024, 14:48

You are not authenticating the user anywhere. It appears you only check whether you haved stored a session object in the keychain

Joshi
27 Aug, 2024, 14:49

AFAIK the apple sdk should also automatically persist the session for you

WhMonkey
27 Aug, 2024, 14:50

What do you mean by this? And how does this end up authenticating the image upload?

WhMonkey
27 Aug, 2024, 14:51

It doesnt, when I swiped up the app and re-launched it, I had to login again

Joshi
27 Aug, 2024, 14:51

Can you call the Accounts.get() endpoint after relaunching your app

Joshi
27 Aug, 2024, 14:52

What permission did you set for that bucket?

WhMonkey
27 Aug, 2024, 14:53
WhMonkey
27 Aug, 2024, 14:53

and I also enabled file level permissions

WhMonkey
27 Aug, 2024, 14:53

👍 ok one second

WhMonkey
27 Aug, 2024, 14:53

should I remove all the keychain shenanigans then put that?

Joshi
27 Aug, 2024, 14:54

You have to be authenticated in order to upload in your case

Joshi
27 Aug, 2024, 14:54

So you are definitely authenticated.

Joshi
27 Aug, 2024, 14:54

Yeah sure. Makes debugging easier

WhMonkey
27 Aug, 2024, 14:55

Yes I know, but the thing is, if someone logins in with account A they can snoop the network requests, and send a request with their authentication but giving everyone file permissions to see their file. So user B will be able to see it too.

WhMonkey
27 Aug, 2024, 14:55

That's what I'm scared of.

Joshi
27 Aug, 2024, 14:57

Can you elaborate your concerns a little bit further? Not sure if I can follow

WhMonkey
27 Aug, 2024, 14:57

Alright one sec

Joshi
27 Aug, 2024, 14:57

What possible attack scenario are you trying to prevent?

WhMonkey
27 Aug, 2024, 15:00

Let's say Bob has logged into my app. Bob uploads an image but inspects the network logs. Bob now has the network request to upload an image to my bucket. The network request Bob has uploaded has all these parameters:

TypeScript
                bucketId: "66cc7031002044095926",
                fileId: "unique()",
                file: InputFile.fromData(data, filename: filename, mimeType: "image/jpeg"),
                permissions: [
                    "user:\(userId).read",
                    "user:\(userId).write"
                ]

Bob notices the 'permissions' parameter. Bob decides to cange it from user:userid.read to Role.any.

John decides to log into the app. John sees all of his uploads but then spots an upload that isn't his. This upload is the image that Bob sent with the Role.any permission.

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more