Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization bypass with Impersonate button ONLY for localdev #332

Merged
merged 12 commits into from
Dec 30, 2024
Merged

Authorization bypass with Impersonate button ONLY for localdev #332

merged 12 commits into from
Dec 30, 2024

Conversation

obscurerichard
Copy link
Member

@obscurerichard obscurerichard commented Dec 19, 2024
edited
Loading

If you view the URL http://localhost:5000/authorization?athlete_id=NNNN you can now fake authorizing as that athlete only in the localdev environment in order to better debug the individual user pages.

  • Retrieves athlete from database to build mock strava_athlete
  • Adds an 🕵 Impersonate 👀 button on each user's People page that only shows in the localdev environment
  • Piles on some 2025 leaderboard fixes just because

@obscurerichard
Add an authorization bypass for localdev
1c2974a 
If you specify http://localhost:5000/authorization?athlete_id=NNNN you
can now authorize as that athlete.

TODO:
* Retrieve athlete from database, only use those, get rid of mock class
* Consider adding UI support for just selecting the athlete to auth as -
  maybe a special link off the People page that only shows in the
  localdev environment for each person. Or a big old "Impersonate"
  button (also only showing on localdev) on that person's page.

  That would be the most convenient.

* Consider adding a nonce that would print in the logs only for this
  session for the localhost authorization URL. That might prevent some
  classes of attacks.
@obscurerichard obscurerichard added enhancement help wanted Help wanted - can you take this on? labels Dec 20, 2024
@obscurerichard obscurerichard changed the title Add an authorization bypass for localdev Authorization bypass with Impersonate button ONLY for localdev Dec 30, 2024
@obscurerichard obscurerichard marked this pull request as ready for review December 30, 2024 03:44
@obscurerichard obscurerichard merged commit 7672504 into master Dec 30, 2024
7 checks passed
@obscurerichard obscurerichard deleted the feature-localdev-authentication-bypass branch December 30, 2024 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement help wanted Help wanted - can you take this on?
Projects
Freezing Saddles
Status: Done
Milestone
2025 - Competition Start
Development

Successfully merging this pull request may close these issues.
1 participant
@obscurerichard