Skip to content

Commit

Permalink
Hackish fix for security issue #29
Browse files Browse the repository at this point in the history
  • Loading branch information
@manuelstofer
manuelstofer committed Jul 27, 2015
1 parent e62e215 commit 2da3fa5
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
3 changes: 3 additions & 0 deletions frontend/app.jsx
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
'use strict';

var secureUrl = location.pathname + location.search.replace(/&token=[^&]+(&?)/, '$1')
history.pushState('', '', secureUrl);

import moment from 'moment';
import React from 'react/addons';
import Router from 'react-router';
Expand Down
3 changes: 2 additions & 1 deletion frontend/components/App.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,10 @@ var App = React.createClass({
mixins: [ State ],

componentWillMount () {
var token = document.documentElement.getAttribute('x-token');
LoginActions.updateCredentials({
username: this.props.location.query.username,
token: this.props.location.query.token
token: token
});
},

Expand Down

3 comments on commit 2da3fa5

@maxkueng
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works but it breaks the ability to refresh the page. There's a refresh button in the Yo app.

@manuelstofer
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be fixed by storing the token in localStorage.

@maxkueng
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that's possible. But we'd have to update the route validation too.

Please # to comment.