🚑️: login security issue

sparcs-kaist · Mar 20, 2024 · 35df628 · 35df628
1 parent c72f6b1
commit 35df628
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 37 deletions.
diff --git a/back/routes/auth.js b/back/routes/auth.js
@@ -36,17 +36,18 @@ router.get("/login", async (req, res) => {
 });
 
 router.get("/callback", async (req, res) => {
-  const { code } = req.query;
-  const { state } = req.session;
+  const { code, state } = req.query;
+  // const { state } = req.session;
 
   try {
-    const userInfo = await client.getUserInfo(code, state);
+    // const userInfo = await client.getUserInfo(code, state);
+    const loginInfo = { code, state };
     res.redirect(
       `${
         process.env.FRONTEND_URL.includes("http")
           ? process.env.FRONTEND_URL
           : `https://${process.env.FRONTEND_URL}`
-      }/?userInfo=${JSON.stringify(userInfo)}`
+      }/?loginInfo=${JSON.stringify(loginInfo)}`
     );
   } catch (error) {
     res.send("Error: " + error.message);

diff --git a/back/routes/user.js b/back/routes/user.js
@@ -3,12 +3,45 @@ const router = express.Router();
 const { Member, sequelize, ClubRepresentative } = require("../models");
 const { Op } = require("sequelize");
 const checkPermission = require("../utils/permission");
-const searchPermission = require("../utils/permission");
+const Client = require("../utils/sparcssso");
+
+const clientId = process.env.SSO_CLIENT_ID;
+const secretKey = process.env.SSO_SECRET_KEY;
+const client = new Client(clientId, secretKey);
 
 router.post("/", async (req, res) => {
-  const { uid, kaist_info, sid } = req.body;
+  const { code, state } = req.body;
+  const userInfo = await client.getUserInfo(code, state);
 
   try {
+    const DEVUID = process.env.REACT_APP_DEVUID;
+
+    if (userInfo.kaist_info) {
+      userInfo.kaist_info = JSON.parse(userInfo.kaist_info);
+    }
+
+    if (userInfo.uid === DEVUID) {
+      userInfo.kaist_info = {
+        kaist_uid: process.env.REACT_APP_kaist_uid,
+        mail: process.env.REACT_APP_mail,
+        ku_sex: process.env.REACT_APP_ku_sex,
+        ku_acad_prog_code: process.env.REACT_APP_ku_acad_prog_code,
+        ku_kaist_org_id: process.env.REACT_APP_ku_kaist_org_id,
+        ku_kname: process.env.REACT_APP_ku_kname,
+        ku_person_type: process.env.REACT_APP_ku_person_type,
+        ku_person_type_kor: process.env.REACT_APP_ku_person_type_kor,
+        ku_psft_user_status_kor: process.env.REACT_APP_ku_psft_user_status_kor,
+        ku_born_date: process.env.REACT_APP_ku_born_date,
+        ku_std_no: process.env.REACT_APP_ku_std_no,
+        ku_psft_user_status: process.env.REACT_APP_ku_psft_user_status,
+        employeeType: process.env.REACT_APP_employeeType,
+        givenname: process.env.REACT_APP_givenname,
+        displayname: process.env.REACT_APP_displayname,
+        sn: process.env.REACT_APP_sn,
+      };
+    }
+
+    const { uid, kaist_info, sid } = userInfo;
     // 트랜잭션 시작
     const userData = {
       student_id: parseInt(kaist_info.ku_std_no),

diff --git a/front/src/pages/home/Home/Home.tsx b/front/src/pages/home/Home/Home.tsx
@@ -20,40 +20,14 @@ export const Home = (): JSX.Element => {
   useEffect(() => {
     const fetchData = async () => {
       const queryParams = new URLSearchParams(location.search);
-      const userInfoStr = queryParams.get("userInfo");
+      const loginInfoStr = queryParams.get("loginInfo");
 
-      if (userInfoStr) {
-        const userInfo = JSON.parse(userInfoStr);
-        const DEVUID = process.env.REACT_APP_DEVUID;
-
-        if (userInfo.kaist_info) {
-          userInfo.kaist_info = JSON.parse(userInfo.kaist_info);
-        }
-
-        if (userInfo.uid === DEVUID) {
-          userInfo.kaist_info = {
-            kaist_uid: process.env.REACT_APP_kaist_uid,
-            mail: process.env.REACT_APP_mail,
-            ku_sex: process.env.REACT_APP_ku_sex,
-            ku_acad_prog_code: process.env.REACT_APP_ku_acad_prog_code,
-            ku_kaist_org_id: process.env.REACT_APP_ku_kaist_org_id,
-            ku_kname: process.env.REACT_APP_ku_kname,
-            ku_person_type: process.env.REACT_APP_ku_person_type,
-            ku_person_type_kor: process.env.REACT_APP_ku_person_type_kor,
-            ku_psft_user_status_kor:
-              process.env.REACT_APP_ku_psft_user_status_kor,
-            ku_born_date: process.env.REACT_APP_ku_born_date,
-            ku_std_no: process.env.REACT_APP_ku_std_no,
-            ku_psft_user_status: process.env.REACT_APP_ku_psft_user_status,
-            employeeType: process.env.REACT_APP_employeeType,
-            givenname: process.env.REACT_APP_givenname,
-            displayname: process.env.REACT_APP_displayname,
-            sn: process.env.REACT_APP_sn,
-          };
-        }
+      if (loginInfoStr) {
+        const loginInfo = JSON.parse(loginInfoStr);
 
         try {
-          await postRequest("user/", userInfo, () => {});
+          console.log(loginInfo);
+          await postRequest("user", loginInfo, () => {});
           await getRequest("user", (data) => {
             login(data);
           });