Skip to content

fix: prevent cross-user data exposure in IndexedDB operations (closes #885)#886

Open
namann5 wants to merge 1 commit into
Somil450:mainfrom
namann5:fix/indexeddb-cross-user-privacy
Open

fix: prevent cross-user data exposure in IndexedDB operations (closes #885)#886
namann5 wants to merge 1 commit into
Somil450:mainfrom
namann5:fix/indexeddb-cross-user-privacy

Conversation

@namann5

@namann5 namann5 commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes a critical privacy vulnerability where \updateLocalWorkoutsFromFirestore\ loads all local IndexedDB records across all users via \store.getAll(), exposing cross-user workout data in memory on shared devices. Also fixes an authorization gap in \deleteWorkout()\ where the \userId\ parameter was accepted but never validated.

Changes

\src/services/workoutSyncService.ts\

  1. **\updateLocalWorkoutsFromFirestore**: Replaced \store.getAll()\ (loads every record across all users) with \store.index('userId').getAll(IDBKeyRange.only(userId))\ — only the current user's local records are loaded into memory.

  2. **\deleteWorkout**: Added an ownership check — before deleting, fetches the record and verifies
    ecord.userId === userId. If the IDs don't match, the deletion is rejected.

Impact

  • Before: User A's sync from Firestore loads User B's private workout data (exercise type, reps, scores, timestamps) into memory on shared devices
  • Before: \deleteWorkout(userId, id)\ would delete any record by primary key, ignoring the userId parameter entirely
  • After: Only the authenticated user's data is loaded during sync; local deletions verify ownership

Related

Closes #885

@namann5
fix: prevent cross-user data exposure in IndexedDB operations
1e887d3 
- Filter local records by userId in updateLocalWorkoutsFromFirestore
  using the userId index instead of loading all records via store.getAll()
- Add userId ownership validation in deleteWorkout before allowing deletion

Closes Somil450#885
@vercel

vercel Bot commented Jun 22, 2026

Copy link
Copy Markdown

@namann5 is attempting to deploy a commit to the somiljain2024-4175's projects Team on Vercel.

A member of the Team first needs to authorize it.

@diksha78dev

diksha78dev commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

@namann5 Make ci pipeline checks green.

@diksha78dev diksha78dev added bug Something isn't working gssoc-26 Marks GSSoC issues gssoc:approved Officially reviewed and approved GSSoC contribution ready for scoring level:intermediate Moderate complexity requiring good understanding of project structure and implementation. type:bug mentor:diksha78dev type:security labels Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@namann5 namann5

Labels

bug Something isn't working gssoc:approved Officially reviewed and approved GSSoC contribution ready for scoring gssoc-26 Marks GSSoC issues level:intermediate Moderate complexity requiring good understanding of project structure and implementation. mentor:diksha78dev type:bug type:security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CRITICAL] Cross-user workout data exposure via IndexedDB getAll() in updateLocalWorkoutsFromFirestore

2 participants

@namann5 @diksha78dev