Basic security check on GDPR exports

PraxisMapper · Jun 29, 2023 · bf06ad5 · bf06ad5
1 parent 2dab1c8
commit bf06ad5
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/PraxisMapper/Controllers/ServerController.cs b/PraxisMapper/Controllers/ServerController.cs
@@ -208,6 +208,7 @@ public List<int> GetRandomValuesForArea(string plusCode, int count)
         [Route("/[controller]/GdprExport/{username}/{pwd}")]
         public string Export(string username = "", string pwd = "")
         {
+            Response.Headers.Add("X-noPerfTrack", "Server/GdprExport");
             string accountId = "";
             string password = "";
             //GDPR Compliance Endpoint. Allows a user to decrypt(!) and receive all the data associated with them in the system. All means all, so they get the password strings encrypted.
@@ -221,6 +222,13 @@ public string Export(string username = "", string pwd = "")
                 password = pwd;
             }
 
+            //we still need to verify this is a legit request
+            if (!GenericData.CheckPassword(accountId, password))
+            {
+                System.Threading.Thread.Sleep(3500);
+                return "Invalid account credentials";
+            }
+
             StringBuilder sb = new StringBuilder();
             if (!string.IsNullOrWhiteSpace(accountId))
             {