Skip to content

fix IDOR vulnerability, increase userId entropy, and add rate limiting (Fixes #29)#30

Open
ArshVermaGit wants to merge 1 commit into
coder-zs-cse:mainfrom
ArshVermaGit:main
Open

fix IDOR vulnerability, increase userId entropy, and add rate limiting (Fixes #29)#30
ArshVermaGit wants to merge 1 commit into
coder-zs-cse:mainfrom
ArshVermaGit:main

Conversation

@ArshVermaGit

@ArshVermaGit ArshVermaGit commented May 25, 2026

Copy link
Copy Markdown

Description

This PR resolves the critical security vulnerabilities outlined in Issue #29.

Previously, the application implicitly trusted an easily guessable 8-character userId header, allowing malicious actors to manipulate other players' game progress (IDOR) and spam the API without restriction.

This PR hardens the authentication and API layer by introducing UUIDs, JSON Web Tokens (JWT), and Edge Middleware rate limiting.

Key Changes

  • Strong Entropy: Replaced the weak 4-byte hex ID generation with standard UUID v4.
  • JWT Authentication: The /api/new-user endpoint now generates and signs a JWT containing the user's UUID using jose. The frontend securely stores this and attaches it as a Bearer token.
  • Middleware Hardening: The Edge middleware now cryptographically verifies the JWT before injecting the userId into downstream requests, completely blocking IDOR attacks.
  • Rate Limiting: Implemented a lightweight, in-memory rate limiter in the middleware restricting clients to 60 requests per minute to prevent brute-force attacks and DoS.
  • Frontend Auto-Recovery: The Axios interceptor seamlessly handles 401 Unauthorized errors by automatically provisioning a new secure account and reloading the session.

Verification & Proof

1. Secure Tokens

The application now securely issues a strong UUID and a signed JWT to the client upon creation.
Verification_1

2. IDOR / Auth Bypass Blocked

Requests missing a valid cryptographic signature are now actively rejected by the middleware with a 401 Unauthorized, preventing anyone from spoofing IDs.
Verification_2

3. Rate Limiting Active

Automated scripts attempting to abuse the API are successfully blocked. The screenshot below demonstrates a spam script being halted with a 429 Too Many Requests after the 60th attempt.
Verification_3

Closes #29

@vercel

vercel Bot commented May 25, 2026

Copy link
Copy Markdown
Contributor

@ArshVermaGit is attempting to deploy a commit to the coderzs' projects Team on Vercel.

A member of the Team first needs to authorize it.

@ArshVermaGit ArshVermaGit mentioned this pull request May 25, 2026
Open
ArshVermaGit
ArshVermaGit commented May 25, 2026
View reviewed changes

@ArshVermaGit ArshVermaGit left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @coder-zs-cse ! Issue #29 has been resolved. Please review the PR and merge it under GSSoC. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Critical Security Vulnerability: Insecure Direct Object Reference (IDOR) & Authentication Bypass via Spoofable userId Header

1 participant

@ArshVermaGit