From 43990bc046cf25a55b4f9ca47020c06fb3eb4bb5 Mon Sep 17 00:00:00 2001
From: woobr005 <woobr005@mymail.unisa.edu.au>
Date: Sun, 27 Oct 2024 15:50:02 +1030
Subject: [PATCH 1/2] Fixed Basket Authorisation

Fixed issue where a user was able to retrieve details of another users' basket from the api.
---
 routes/basket.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/routes/basket.ts b/routes/basket.ts
index b212a97be1e..5958244c0eb 100644
--- a/routes/basket.ts
+++ b/routes/basket.ts
@@ -22,6 +22,12 @@ module.exports = function retrieveBasket () {
           const user = security.authenticatedUsers.from(req)
           return user && id && id !== 'undefined' && id !== 'null' && id !== 'NaN' && user.bid && user.bid != id // eslint-disable-line eqeqeq
         })
+        const user = security.authenticatedUsers.from(req)
+        // check if the correct user is making the request
+        if (user && id && id !== 'undefined' && id !== 'null' && id !== 'NaN' && user.bid && user.bid != id) { // eslint-disable-line eqeqeq
+          res.status(403).send({ error: 'wrong user' })
+          return
+        }
         if (basket?.Products && basket.Products.length > 0) {
           for (let i = 0; i < basket.Products.length; i++) {
             basket.Products[i].name = req.__(basket.Products[i].name)

From 4d3ebfc84ed17e87429ce6c83d5c11a26a5ea24f Mon Sep 17 00:00:00 2001
From: woobr005 <woobr005@mymail.unisa.edu.au>
Date: Mon, 28 Oct 2024 14:30:10 +1030
Subject: [PATCH 2/2] Added some security tests

Added some HTTPie based test for authentication some some REST API requests.
---
 .github/workflows/ci.yml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 383fc0fdbc8..a4da1b5b421 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -151,6 +151,39 @@ jobs:
           name: api-test-lcov
           path: |
             api-lcov.info
+  security-api-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@develop
+
+      - name: Install HTTPie
+        run:  |
+          sudo apt-get update
+          sudo apt-get install -y httpie
+
+      - name: Run the Web App
+        run: |
+          npm run serve
+
+      - name: Test for authentication requirement on POST for basket
+        run: |
+          http POST http://localhost:3000/rest/basket
+            --expect '401 Unauthorized'
+
+      - name: Test for authentication requirement on PUT for basket
+        run: |
+          http PUT http://localhost:3000/rest/basket/4
+            --expect '401 Unauthorized'
+
+      - name: Test for authentication requirement on GET for basket
+        run: |
+          http GET http://localhost:3000/rest/basket/4
+            --expect '401 Unauthorized'
+
+      - name: Test for authentication requirement on POST for feedback
+        run: |
+          http POST http://localhost:3000/rest/feedbacks
+            --expect '401 Unauthorized'
   coverage-report:
     needs: [test, api-test]
     runs-on: ubuntu-latest