Can access to protected page such as admin.html in address bar

mjandia · April 24, 2023, 6:53pm

Hello,

I have an issue. I can access to my admin.html and client .html in address bar while I put a login and everything works fine when clicking on the links but in the address bar I wanted to test and unfortunately I also access it. How to correct the problem? Thanks for your help here is the code :

In the back end in app.js :


app.use(express.static("style"));
app.use(express.static(__dirname + '/'));

// Route pour le logout
app.get('/logout', (req, res) => {
    // Supprime les cookies
    res.clearCookie('loggedIn');
    res.clearCookie('isAdmin');
    res.clearCookie('isClient');

    // Redirige vers la page de connexion
    res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
    res.redirect('/login.html');
});

// Route pour la connexion d'un utilisateur
app.post('/login', async (req, res) => {
    const { username, password } = req.body;

    if (!username || !password) {
        return res.status(400).json({ message: "Veuillez fournir un nom d'utilisateur et un mot de passe." });
    }

    const query = "SELECT * FROM users WHERE username = ? AND password = ?";
    try {
        const [rows, fields] = await pool.execute(query, [username, password]);

        if (rows.length === 0) {
            return res.status(401).json({ message: "Nom d'utilisateur ou mot de passe incorrect." });
        }

        const user = rows[0];
        const isAdministrateur = user.administrateur === 1;
        const isClient = user.client === 1;

        // Set cookies for logged in user
        res.cookie('loggedIn', true);
        res.cookie('isAdmin', isAdministrateur);
        res.cookie('isClient', isClient);

        if (isAdministrateur) {
            return res.redirect('/admin.html');
        } else if (isClient) {
            return res.redirect('/client.html');
        } else {
            return res.status(401).json({ message: "Ce compte n'est pas autorisé à se connecter." });
        }
    } catch (error) {
        console.error(error);
        res.status(500).send("Une erreur est survenue lors de la connexion de l'utilisateur.");
    }
});

// Middleware pour vérifier si l'utilisateur est authentifié
function isAuthenticated(req, res, next) {
    if (req.cookies.loggedIn) {
        next();
    } else {
        res.redirect('/login.html');
    }
}

// Middleware pour vérifier si l'utilisateur est un administrateur
function isAdmin(req, res, next) {
    if (req.cookies.isAdmin) {
        next();
    } else {
        res.redirect('/login.html');
    }
}

// Middleware pour vérifier si l'utilisateur est un client
function isClient(req, res, next) {
    if (req.cookies.isClient) {
        next();
    } else {
        res.redirect('/login.html');
    }
}


// Route pour la page client.html avec middleware isClient
app.get('/client.html', isAuthenticated, isClient, (req, res) => {
    res.sendFile(path.join(__dirname, 'client.html'));
});

// Route pour la page admin.html avec middleware isAdmin
app.get('/admin.html', isAuthenticated, isAdmin, (req, res) => {
    res.sendFile(path.join(__dirname, 'admin.html'));
});

mjandia · April 24, 2023, 8:29pm

Hello,

Here is the github link :

Thank for your help

lasjorg · April 24, 2023, 8:34pm

Are you sure you don’t just have a cookie set? Did you try clearing your cookies first, or test it in an Incognito window?

mjandia · April 24, 2023, 8:48pm

I clear the cache browser and i tested with incognito tab and nothing. I can always access from the adress bar

lasjorg · April 24, 2023, 9:48pm

As far as I can tell it is because of how the static files are served. If you move the protected routes up before the static file serving it should work (I think).

github.com/expressjs/express

Enabling Authentication For Resources, Not Routes

opened 02:58AM - 17 Mar 14 UTC

closed 03:27AM - 17 Mar 14 UTC

ypinskiy

I am using the express.basicAuth in my server to protect an admin only area in t…he /secure path. Going to /secure/manager asks for a password, however going to a specific file such as /secure/manager.html seems to bypass the authentication. Is this a bug in the basicAuth middleware or do I need a different solution for protecting resources as opposed to protecting paths? My code is: ``` var auth = express.basicAuth(function(user, pass) { return user === 'admin' && pass === '12345'; }); app.get('/secure/*', auth, function (req, res) { }); ```

mjandia · April 24, 2023, 10:02pm

Ok thank you I’ll try Great contributor

mjandia · April 24, 2023, 10:50pm

I moved routes before static file and I’ve got an error in both cases. That solution doesn’t run. Sorry ! But thanks for your answer

lasjorg · April 25, 2023, 5:52pm

Saying you got an error doesn’t tell us anything and it doesn’t mean it didn’t work. What error are you getting?

We do not know how you changed the code. Show the code change or push the code (you can create a new branch for it if needed).

If you move the protected routes to before the static serving does the navigation to the admin file not trigger the middleware?

system · October 25, 2023, 5:53am

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Login runs with admin.html but no with client .html JavaScript	1	549	October 16, 2023
Protected areas and rest APIs JavaScript	19	535	August 29, 2021
Admin permissions with cookies	4	2455	June 1, 2021
Help needed with javascript redirecting JavaScript	1	231	October 5, 2021
After logging in with jwt and getting access to protected page and closing tab and opening new tab hitting protected endpnt am getting access to protected page JavaScript	1	332	January 23, 2023

Can access to protected page such as admin.html in address bar

Related topics