Security Concerns with PHP SPA built with Wappler

nshkrsh · March 7, 2021, 2:28pm

The route URL looks like: domain.com/myRoute
if this page is opened directly without logging in, the Server Connect inside the page has been configured to redirect to login page on error event.

However, the underlying PHP page can still be opened up in browser: domain.com/my_route_page.php
all we can see on this page is just the variables, etc. no data is populated of course - but still this is deemed as a security risk - the page structure is exposed to users not logged in.

Is there a workaround to it so that the *.php route pages are not allowed to be opened directly and just throws a 404?

Please help.

George · March 7, 2021, 3:37pm

If you want to restrict a complete php page with security provider - add security enforce it it - that is its purpose. That is at least the way in php.

In node you do that with the routing indeed

George · March 9, 2021, 2:46pm

3 posts were split to a new topic: Security Enforcer option missing on SPA Content Pages

Teodor · March 9, 2021, 3:04pm

A post was merged into an existing topic: Security Enforcer option missing on SPA Content Pages

nshkrsh · March 9, 2021, 3:15pm

The problem with this method (applying security provider enforcer on parent php page) is that on doing a security login + redirection from server action side we always get a 302. Login is never successful.
On removing security enforcer, login is success.

How do you think we can handle this? Or it is something that Wappler must take care of?

nshkrsh · March 9, 2021, 3:18pm

To clarify:

Parent page: parent.php (domain.com/parent)
Route: some_page.php (domain.com/parent/somePage)

From a server action we’re doing a security login and redirecting to domain.com/parent/somePage (from server side itself using the ‘Redirection’ step) - in network tab we see a 302 when parent.php has a security enforcer enabled. We’re unable to login at all.

But if we remove the security enforcer from parent.php, we’re able to login using same credentials and this time the route redirects just fine with a 200 (as seen in network tab in dev tools on chrome)

nshkrsh · March 17, 2021, 10:37am

Humble nudge! Any luck with this request?

patrick · March 17, 2021, 10:56am

We are investigating on enabling the security enforcer on content pages.

aschoijett · March 24, 2021, 12:27pm

Hi guys,
I’m very interested in this one for all the reasons you can imagine.
Do you have any indication of the time for when this will be made available?

Many thanks in advance,

Alex

nshkrsh · March 29, 2021, 2:55pm

The routing issue when we apply security enforcer on parent page is not resolved with Wappler v3.9.2.
Hope this will be fixed soon as well.

aschoijett · April 12, 2021, 9:54pm

Hi @Patrick,

I hope you’re well. I was wondering if you’ve been able to make any progress with this issue and if there is anything we could do to help.
Many thanks!

Alex

patrick · April 14, 2021, 8:55am

I’ve already made the needed underlying changes within Wappler to allow the security provider code to be added on a content page. It still need some changes in the security provider code itself and the Wappler UI part has to be updated.

nshkrsh · April 27, 2021, 2:38pm

any luck with this request?

patrick · April 30, 2021, 2:05pm

The security enforcer can now be placed on PHP content pages, if there are any issues with the implementation then please open a bug report for that. I will close this topic.