You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On line 44 of the uth.service.ts file in the sequalize folder I have noticed that you search for a user only by their password. I am not sure what the user being returned is used for (as they are being logged out) but it seems to me that you could return an incorrect user if 2 users were to use the same password. Suggest changing this to search for user by a unique field or email and password combination?
Version to Reproduce(현재 사용한 버전)
Any environment.
Steps to Reproduce(재현 순서)
Create a user with password "password"
Create a second user with password "password"
Login as the second user
Log out
You will be returned user from step 1 above when you were logged in as user from step 2!
Expected Behavior(예상 동작)
Should return the user you are logged in as.
Actual Behavior(실제 동작)
A different user (with the same password) is returned.
Additional Context(추가 사항)
This same technique seems to be used in TypeORM and mongoose as well. If it is an issue then it probably needs changing in all these.
Capture screen(캡쳐 화면)
The text was updated successfully, but these errors were encountered:
Sorry for the late response.
In order to secure the case of using the same password mentioned first, the e-mail has also been changed through the and clause.
However, I don't think that it is very dangerous for security because the account information stored in the existing cookie or header is verified through auth.middleware during the logout process.
Describe the Bug(버그 설명)
On line 44 of the uth.service.ts file in the sequalize folder I have noticed that you search for a user only by their password. I am not sure what the user being returned is used for (as they are being logged out) but it seems to me that you could return an incorrect user if 2 users were to use the same password. Suggest changing this to search for user by a unique field or email and password combination?
Version to Reproduce(현재 사용한 버전)
Any environment.
Steps to Reproduce(재현 순서)
Expected Behavior(예상 동작)
Should return the user you are logged in as.
Actual Behavior(실제 동작)
A different user (with the same password) is returned.
Additional Context(추가 사항)
This same technique seems to be used in TypeORM and mongoose as well. If it is an issue then it probably needs changing in all these.
Capture screen(캡쳐 화면)
The text was updated successfully, but these errors were encountered: