fix: Security Issues (#3530)

Co-authored-by: boc-the-git <3479092+boc-the-git@users.noreply.github.com>
2025-08-05 05:25:26 +02:00 · 2024-04-30 15:53:55 -05:00 · 2024-04-30 15:53:55 -05:00 · ec458a0a08
commit ec458a0a08
parent 2ff37c86d6
7 changed files with 11 additions and 36 deletions
--- a/frontend/lib/api/user/users.ts
+++ b/frontend/lib/api/user/users.ts
@ -1,10 +1,9 @@
 import { BaseCRUDAPI } from "../base/base-clients";
 import { QueryValue, route } from "~/lib/api/base/route";
-import { PaginationData, RequestResponse } from "~/lib/api/types/non-generated";
+import { PaginationData } from "~/lib/api/types/non-generated";
 import {
  ChangePassword,
  DeleteTokenResponse,
-  GroupInDB,
  LongLiveTokenIn,
  LongLiveTokenOut,
  ResetPassword,
@ -30,7 +29,6 @@ const routes = {
  groupUsers: `${prefix}/users/group-users`,
  usersSelf: `${prefix}/users/self`,
  ratingsSelf: `${prefix}/users/self/ratings`,
-  groupsSelf: `${prefix}/users/self/group`,
  passwordReset: `${prefix}/users/reset-password`,
  passwordChange: `${prefix}/users/password`,
  users: `${prefix}/users`,
@ -57,10 +55,6 @@ export class UserApi extends BaseCRUDAPI<UserIn, UserOut, UserBase> {
    return await this.requests.get<PaginationData<UserSummary>>(route(routes.groupUsers, { page, perPage, ...params }));
  }

-  async getSelfGroup(): Promise<RequestResponse<GroupInDB>> {
-    return await this.requests.get(routes.groupsSelf, {});
-  }
-
  async addFavorite(id: string, slug: string) {
    return await this.requests.post(routes.usersIdFavoritesSlug(id, slug), {});
  }
--- a/frontend/nuxt.config.js
+++ b/frontend/nuxt.config.js
@ -156,6 +156,7 @@ export default {
            propertyName: "access_token",
          },
          refresh: { url: "api/auth/refresh", method: "post" },
+          logout: { url: "api/auth/logout", method: "post" },
          user: { url: "api/users/self", method: "get" },
        },
      },
--- a/frontend/pages/user/profile/index.vue
+++ b/frontend/pages/user/profile/index.vue
@ -190,7 +190,6 @@

 <script lang="ts">
 import { computed, defineComponent, useContext, ref, toRefs, reactive, useAsync, useRoute } from "@nuxtjs/composition-api";
-import { invoke, until } from "@vueuse/core";
 import UserProfileLinkCard from "@/components/Domain/User/UserProfileLinkCard.vue";
 import { useUserApi } from "~/composables/api";
 import { validators } from "~/composables/use-validators";
@ -198,7 +197,7 @@ import { alert } from "~/composables/use-toast";
 import UserAvatar from "@/components/Domain/User/UserAvatar.vue";
 import { useAsyncKey } from "~/composables/use-utils";
 import StatsCards from "~/components/global/StatsCards.vue";
-import { GroupInDB, UserOut } from "~/lib/api/types/user";
+import { UserOut } from "~/lib/api/types/user";

 export default defineComponent({
  name: "UserProfile",
@ -216,7 +215,6 @@ export default defineComponent({

    // @ts-ignore $auth.user is typed as unknown, but it's a user
    const user = computed<UserOut | null>(() => $auth.user);
-    const group = ref<GroupInDB | null>(null);

    const showPublicLink = ref(false);
    const publicLink = ref("");
@ -225,16 +223,6 @@ export default defineComponent({
    const token = ref("");
    const api = useUserApi();

-    invoke(async () => {
-      await until(user.value).not.toBeNull();
-      if (!user.value) {
-        return;
-      }
-
-      const { data } = await api.users.getSelfGroup();
-      group.value = data;
-    });
-
    async function getSignupLink() {
      const { data } = await api.groups.createInvitation({ uses: 1 });
      if (data) {
@ -333,7 +321,6 @@ export default defineComponent({
      getStatsTitle,
      getStatsIcon,
      getStatsTo,
-      group,
      stats,
      user,
      constructLink,