feat: restrict aliases to events, disable login with alias (#80)

* fix: use right key for participants * feat: restrict aliases to events, disable login with alias
coopanio · Apr 30, 2023 · 32b681d · 32b681d
1 parent 279ce93
commit 32b681d
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 26 deletions.
diff --git a/app/interactors/authenticate_credentials.rb b/app/interactors/authenticate_credentials.rb
@@ -23,8 +23,10 @@ def authenticate_user
     fail!(error: Errors::AccessDenied.new(identifier_type:)) if identity.disabled?
   end
 
+  # TODO: fix aliased tokens, because they cause a security vulnerability.
   def authenticate_token
-    self.identity = Token.from_value(identifier)
+    self.identity = Token.from_hash(identifier)
+    fail!(error: Errors::AccessDenied.new(identifier_type:)) if identity.nil?
     fail!(error: Errors::AccessDenied.new(identifier_type:)) if identity.disabled?
   end
 

diff --git a/app/interactors/create_token.rb b/app/interactors/create_token.rb
@@ -56,7 +56,10 @@ def find_or_initialize_token
   end
 
   def find_token
-    Token.from_value(cleaned_identifier) if identifier.present?
+    token = Token.from_hash(cleaned_identifier) if identifier.present?
+    return token if token.present?
+
+    Token.from_alias(cleaned_identifier, event:) if identifier.present? && aliased
   rescue ActiveRecord::RecordNotFound
     nil
   end

diff --git a/app/models/token.rb b/app/models/token.rb
@@ -21,24 +21,18 @@ class Token < ApplicationRecord
 
   after_initialize :init
 
-  def self.from_value(value)
-    token = Token.from_hash(value)
-    token = Token.from_alias(value) if token.nil?
-
-    token
-  end
-
   def self.from_hash(hash)
     hash = sanitize(hash)
 
     ids = HashIdService.decode(hash)
     Token.find(ids.first) unless ids.empty?
   end
 
-  def self.from_alias(value)
+  def self.from_alias(value, event: nil)
     value = sanitize(value)
+    return Token.find_by!(alias: value) if event.blank?
 
-    Token.find_by!(alias: value)
+    Token.find_by!(alias: value, event: event)
   end
 
   def self.sanitize(value)

diff --git a/app/views/questions/ballot/_secret.html.erb b/app/views/questions/ballot/_secret.html.erb
@@ -27,7 +27,7 @@
               <%= t('stats.census') %>
             </th>
             <th>
-              <%= t('stats.casted_votes') %>
+              <%= t('stats.participants') %>
             </th>
           </tr>
         </thead>
@@ -37,7 +37,7 @@
               <% if Rails.configuration.x.asembleo.open_registration %>
                 <%= User.voter.enabled.count %>
               <% else %>
-                <%= @consultation.tokens.voter.count %>
+                <%= @consultation.tokens.enabled.voter.count %>
               <% end %>
             </td>
             <td>

diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -19,18 +19,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     assert_equal principal.id, session[:identity_id]
   end
 
-  test 'should create session with aliased token' do
-    aliased_token = Faker::PhoneNumber.cell_phone
-    @params = { session: { identifier: aliased_token } }
-
-    principal.update!(alias: Token.sanitize(aliased_token))
-
-    subject
-
-    assert_response :redirect
-    assert_equal principal.id, session[:identity_id]
-  end
-
   test 'should fail on deleted token' do
     principal.destroy!
     subject

diff --git a/test/interactors/create_token_test.rb b/test/interactors/create_token_test.rb
@@ -21,7 +21,6 @@ class CreateTokenTest < ActionDispatch::IntegrationTest
 
   test 'should deliver magic link' do
     @params[:identifier] = 'voter@example.com'
-    @params[:aliased] = true
     @params[:send_magic_link] = true
 
     subject