einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 04:54:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: critical fixes (test route, edit authz, nostr signature, calendar IDOR)

Browse Source 
- Remove unauthenticated /test route that dispatched FetchNostrProfileJob
  for a hardcoded user (routes/web.php).
- Enforce created_by ownership check in meetup and lecturer Livewire edit
  components; mirror the existing services/edit pattern.
- Replace blind-trust nostrLoggedIn handler with NIP-42-style signed event
  verification: server-issued challenge stored in session, client signs a
  kind:22242 event, server verifies signature via swentel/nostr-php and
  derives npub. Challenge is single-use with 5-minute TTL.
- Validate the ?my[] parameter on the calendar download endpoint as an
  array of integers and intersect with the authenticated user's meetups.
This commit is contained in:
Claude
2026-05-03 12:51:10 +00:00
parent 1f9e5309d2
commit 90835f8b1f
6 changed files with 139 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routes/web.php
-7
View File
@@ -2,20 +2,13 @@
use App\Http\Controllers\DownloadMeetupCalendar;
use App\Http\Controllers\ImageController;
use App\Jobs\FetchNostrProfileJob;
use App\Livewire\Helper\FollowTheRabbit;
use App\Models\User;
use Illuminate\Support\Facades\Route;
use Laravel\Nightwatch\Http\Middleware\Sample;
// Redirect root URL to 'welcome' page
Route::redirect('/', 'welcome');
// Test route that dispatches a job to fetch Nostr profile for user with ID 1426
Route::get('test', function () {
FetchNostrProfileJob::dispatchSync(User::find(1426));
});
// Error page route that aborts with given HTTP status code (digits only,
// constrained to valid 4xx/5xx range to avoid TypeErrors from bot scans).
Route::get('error/{code}', function (string $code) {