hangarmc / hangarauth Goto Github PK

As a new member of Hangar, I registered a new account recently.

Unfortunately, while reporting some issues I shared a screen of my QR Code in the chat which is very bad in a security point of view. It has been deleted quickly, but finally it raised the question about the possibility to change the QR Code for similar cases than mine

need to find good texts for the emails:
https://github.com/HangarMC/HangarAuth/tree/master/docker/deployment/kratos/templates

• Add indicators what fields are optional/required
• Improve the email valid check (currently it only seems to check for @ or something like that, so a@a works)
• When loading the page sometimes the textboxes take a second to load which makes the page look weird/scuffed
• Maybe check if a username/mail is already used before clicking on Sign Up?
• Alternative: If a username/mail is already used don't reset all the fields
• Add an indicator to the password to immediately see if it doesn't follow the requirements
• The password can not be used because password length must be at least 8 characters but only got 2. sounds wrong. Suggestion: Your password does not meet the minimum required length. It has to be at least 8 characters long, but is only 4 or something like that
• Maybe add some requirements for the username? I'm not sure we want usernames with spaces and emojis

Observed/problematic behavior

as described in title, button does not seem to be clickable.

Expected behavior

ability to click save in change avatar page

Steps to reproduce

• go to your account settings page
• click change avatar
• upload your avatar
• click save

Other

• currently used browser is google chrome
• video showing the issue in-case can't developers can't replicate
  https://user-images.githubusercontent.com/34905970/182219673-fd5e8145-d194-4635-a959-e9dd9954da03.mp4

Similar to #289, a lack of 2FA entry to disable 2FA is a security risk.

I usually use my Enter key instead of clicking on Sign in, but currently when hitting Enter nothing seems to happen.
If you hit Enter in the "Security key" tab, you get thrown back into the Password tab and your input gets cleared

It would be nicer (and more secure) to have an option to allow only signing in with an email, or allowing username and email. I don't want people guessing away at my password assuming they don't have my email and only username.

Likely some carry-over. Also has no logo, might be related.

If I manage to take the session client from a browser and I live across the world from where the session was originally created - it should require me to reauthorize

Similar to both #289 and #290, not requiring current password verification when changing passwords is a security risk. This opens accounts up to a session hijack resulting in a total loss of account access.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): update dependency pnpm to v8

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

• chore(deps): update frontend non-major dependencies (@nuxt-alt/proxy, @pinia/nuxt, @unocss/nuxt, @vuelidate/core, @vuelidate/validators, eslint, eslint-import-resolver-typescript, filesize, lint-staged, pinia, pnpm, sass, typescript, unplugin-icons)
• chore(deps): update oryd/hydra docker tag to v2
• fix(deps): update dependency @ory/hydra-client to v2
• fix(deps): update dependency axios to v1
• fix(deps): update dependency sh.ory.hydra:hydra-client to v2

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• fix(deps): update backend non-major dependencies (io.awspring.cloud:spring-cloud-aws-starter-s3, org.springdoc:springdoc-openapi-ui, org.testcontainers:postgresql, org.springframework.boot:spring-boot-starter-parent)
• chore(deps): update actions/add-to-project action to v0.5.0
• chore(deps): update helm release postgresql to v12.2.7
• chore(deps): update docker/build-push-action action to v4
• chore(deps): update postgres docker tag to v15
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Idk, if this knowledged issue but when someone have verified email, still is visible alert about not verified email, same after refresh.

Is your feature request related to a problem?

It's easy to accidentally share your 2FA QR code by taking a screenshot of your member settings page. Perhaps any sensitive information should be hidden by default so that it won't be accidentally shared.

Describe the solution you'd like.

I think the 2FA QR code on members' member settings should be blurred out by default, which can be toggled via a button, switch, or some other input.

Describe alternatives you've considered.

1. Moving sensitive member information into a sub-page - it likely requires more work.
2. Adding a callout or something onto the profile page informing users that there is sensitive information on their member settings page which should not be shared with anyone.

Other

No response

When loading the main account settings page (default page for logged in users), there is a POST request to save settings. This is due to the watched dark mode boolean being called which tries to save the settings. the csrf_token parameter is missing from that post request. This request is handled by the SettingsController.

When trying to sed GithHub name/Discord ID in the user information section in the settings it will claim that the username is missing. It was in the field efore but not after clicking save.

I assume that's because the username isn't sent with the request as you shouldn't be able to change that? So the solution should definitely not be to send the field value (as a malicious actor could just send whatever) but add the property or ignore that it's missing on the backend.

When entering the verification process through the profile, you eventually reach a "dead end" where you have no direct way back to your profile and are forced to fumble your way back to hangar. Having a "back to profile" button, auto redirect, or even the normal hangar navbar at the top would be an easy solution for this.

The login flow in hangar-auth feels really weird. So I click on Security Key, enter my username, and then "Sign in with security key". Then I get the Prepare your WebAuthn device thingy, but below that the "Password" tab is selected and I have to click on "Security Key" again, before I then get a Continue button that feels completely out of place and has the same color as Register/Forgot

1. Why do I have to manually click on "Continue" after I've already clicked on "Sign in with security key"? Feels like that step is unnecessary I kinda understand it now, but see the rest
2. On the second page, the "Security Key" tab should ideally be pre-selected, especially since the password-tab is empty there
3. There should be some sort of visual distinction between the Continue button and Register/Forgot. Could be a blue button as well
4. Without a text directly above the "Continue" button the spacing looks kinda weird

we need to cut images too size (only allow 1:1)
maybe we can have a fancy tool on frontend for selecting a region and zooming?
also need to downscale images to reasonable file sizes, plus allow different formats (webp anyone?!)

Without this, a session hijack, or even just someone passing by an unlocked PC can gain access to the codes, effectively bypassing 2FA.

if we disable debug, it doesnt work

• When using a security key for registration, that security key is not visible in your profile.
• If you try to add a new security key, but cancel that process, your initial security key gets removed/invalidated, causing you to potentially loose access
• If you add a the security key again the initial security key becomes visible as well. Removing either one of the security keys will cause them both to be removed

Changing the username should be restricted to once per month (or even longer), or require mod approval - although I'd prefer the time option. Also see https://discord.com/channels/855123416889163777/859527399901626398/1056615488844738620

Showing a name history on the Hangar profile would also be good.

if you upload a gif, you get a 500 on a url like this https://hangar-auth.minidigger.me/avatar/Peaches_MLG?size=120x120

Observed/problematic behavior

WEBP version of avatar has extraneous borders, compared with the uploaded PNG. This is evident in dark mode.

Correct:

Incorrect:
https://hangar.papermc.dev/SlimeDog or https://hangarauth.papermc.dev/account/settings?flow=447cbcd6-0af4-4c2f-9c6f-ed0c4ea2c1e8

Expected behavior

Avatar should be converted/presented per the original.

Steps to reproduce

• Upload avatar from PNG with transparent corners.
• Observe resulting avatar in dark mode.

Other

No response