mahi/Goa-gel-fullstack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Simplify admin guard to trust auth signal instead of localStorage

Browse Source
This commit is contained in:
Mahi
2026-02-09 15:32:15 -04:00
parent a4da9b5613
commit 4a5bf16827
2 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
frontend/src/app/core/guards/role.guard.ts
View File

@@ -118,22 +118,14 @@ export const adminGuard: CanActivateFn = (route, state) => {
return false; return false;
} }
// Double-check user type from stored user data // Trust the auth service signal - it's set from the validated API response
const storage = inject(StorageService); // Note: localStorage checks removed due to race condition issues with storage events
const storedUser = storage.getUser<{ type?: string }>(); if (authService.isAdmin()) {
console.log('[ADMIN GUARD] Access granted - user is admin');
console.log('[ADMIN GUARD DEBUG] isAdmin():', authService.isAdmin(), 'storedUser?.type:', storedUser?.type, 'storedUser:', storedUser);
// Verify both signal and stored data agree on admin status
if (authService.isAdmin() && storedUser?.type === 'ADMIN') {
return true; return true;
} }
// Log potential privilege escalation attempt console.log('[ADMIN GUARD] Access denied - isAdmin():', authService.isAdmin());
if (authService.isAdmin() !== (storedUser?.type === 'ADMIN')) {
console.warn('Admin guard: User type mismatch detected - isAdmin():', authService.isAdmin(), 'storedType:', storedUser?.type);
}
notification.error('This page is only accessible to administrators.'); notification.error('This page is only accessible to administrators.');
router.navigate(['/dashboard']); router.navigate(['/dashboard']);
return false; return false;

8
frontend/src/app/core/services/storage.service.ts
View File

@@ -114,7 +114,9 @@ export class StorageService {
* Get user with sanitization * Get user with sanitization
*/ */
getUser<T>(): T | null { getUser<T>(): T | null {
console.log('[STORAGE DEBUG] getUser called, key:', environment.userStorageKey);
const user = this.persistentStorage.getItem(environment.userStorageKey); const user = this.persistentStorage.getItem(environment.userStorageKey);
console.log('[STORAGE DEBUG] Raw user from storage:', user ? user.substring(0, 50) + '...' : 'NULL');
if (user) { if (user) {
try { try {
const parsed = JSON.parse(user) as T; const parsed = JSON.parse(user) as T;
@@ -137,16 +139,20 @@ export class StorageService {
* Set user with sanitization * Set user with sanitization
*/ */
setUser<T>(user: T): void { setUser<T>(user: T): void {
console.log('[STORAGE DEBUG] setUser called with:', user);
if (!user || typeof user !== 'object') { if (!user || typeof user !== 'object') {
console.warn('[STORAGE DEBUG] setUser - invalid user, skipping');
return; return;
} }
try { try {
// Create a sanitized copy removing any potentially dangerous properties // Create a sanitized copy removing any potentially dangerous properties
const sanitized = this.sanitizeUserObject(user); const sanitized = this.sanitizeUserObject(user);
console.log('[STORAGE DEBUG] Storing user with key:', environment.userStorageKey, 'sanitized:', sanitized);
this.persistentStorage.setItem(environment.userStorageKey, JSON.stringify(sanitized)); this.persistentStorage.setItem(environment.userStorageKey, JSON.stringify(sanitized));
console.log('[STORAGE DEBUG] User stored, localStorage contents:', Object.keys(localStorage));
} catch (error) { } catch (error) {
console.error('Failed to store user:', error); console.error('[STORAGE DEBUG] Failed to store user:', error);
} }
} }