bug/security fixes

src/assets/js/cloud/script.js

@@ -491,7 +491,7 @@ document.querySelector('#btn-add-note').addEventListener('click', () => {
 });
 
 document.querySelector('#btn-unlock-float').addEventListener('click', async () => {
-  await defaultScript.verifyFingerprint();
+  await defaultScript.getFingerprint();
   await getNotes();
 });
 

src/assets/js/default.js

@@ -110,10 +110,36 @@ export const getLockApp = async () => {
   }
 }
 
-export const verifyFingerprint = async () => {
+export const getFingerprint = async () => {
   try {
-    const challenge = generateRandomBytes(16);
-    const userId = generateRandomBytes(8);
+    const challenge = generateRandomBytes(32);
+    const publicKeyOptions = {
+      challenge,
+      rp: {
+        name: 'Bloc-notes',
+      },
+      allowCredentials: [],
+      userVerification: "preferred",
+      timeout: 60000,
+    };
+    const credential = await navigator.credentials.get({ publicKey: publicKeyOptions });
+    if (credential) {
+      isLocked = false;
+      document.querySelector('#btn-unlock-float').classList.add('d-none');
+      document.querySelectorAll('#sidebar button').forEach((e) => e.classList.remove('d-none'));
+      document.querySelector('#btn-add-note').classList.remove('d-none');
+      document.querySelector('#lock-app-slider').classList.remove('d-none');
+    } else showError('An error occurred - No credential');
+  } catch (error) {
+    showError(`An error occurred - ${error}`);
+  }
+};
+
+export const createFingerprint = async () => {
+  try {
+    const challenge = generateRandomBytes(32);
+    const username = document.querySelector('#user-name').textContent;
+    const userId = new TextEncoder().encode(username);
     await navigator.credentials.create({
       publicKey: {
         challenge,
@@ -139,6 +165,10 @@ export const verifyFingerprint = async () => {
           authenticatorAttachment: 'platform',
           userVerification: 'preferred',
         },
+        excludeCredentials: [{
+          type: 'public-key',
+          id: userId
+        }],
         timeout: 60000,
         attestation: 'none',
       },
@@ -446,7 +476,7 @@ document.querySelectorAll('.custom-check').forEach((e) => {
 
 document.querySelector('#check-lock-app').addEventListener('change', async (e) => {
   if (isLocked) return;
-  if (e.target.checked) await verifyFingerprint();
+  if (e.target.checked) await createFingerprint();
   try {
     const data = new URLSearchParams({ csrf_token: csrfToken, lock_app: e.target.checked });
     const res = await fetch('./assets/php/lockApp.php', {

src/assets/js/local/script.js

@@ -460,7 +460,7 @@ document.querySelector('#btn-add-note').addEventListener('click', () => {
 });
 
 document.querySelector('#btn-unlock-float').addEventListener('click', async () => {
-  await defaultScript.verifyFingerprint();
+  await defaultScript.getFingerprint();
   await getNotes();
 });
 

src/assets/php/addNote.php

@@ -25,6 +25,14 @@
     'bg-pink',
 ];
 
+if (iconv_strlen($title) > 30) {
+    throw new Exception('Insert failed');
+    return;
+}
+if (iconv_strlen($content) > 20000) {
+    throw new Exception('Insert failed');
+    return;
+}
 if (in_array($color, $allColors) === false) $color = 'bg-default';
 
 try {

src/assets/php/updateNote.php

@@ -25,6 +25,14 @@
     'bg-pink',
 ];
 
+if (iconv_strlen($title) > 30) {
+    throw new Exception('Update failed');
+    return;
+}
+if (iconv_strlen($content) > 20000) {
+    throw new Exception('Update failed');
+    return;
+}
 if (in_array($color, $allColors) === false) $color = 'bg-default';
 
 try {

src/assets/sass/style.sass

@@ -198,7 +198,6 @@ select
   border: none
 
 textarea
-  font-size: .9rem
   width: 100%
   min-height: 200px
   max-height: 1000px
@@ -279,8 +278,8 @@ input
 
     .christmas
       position: absolute
-      top: 10px
-      left: 8px
+      top: 7px
+      left: 7px
       transform: rotate(-25deg)
 
     .nav-buttons
@@ -357,13 +356,14 @@ input
     user-select: none
     text-align: center
     margin-top: 10px
-    margin-bottom: 4px
+    margin-bottom: 5px
 
     i
       cursor: pointer
       display: inline-flex
       align-items: center
       justify-content: center
+      font-size: 1.1rem
       margin: 0 4px
       width: 30px
       height: 30px
@@ -377,6 +377,7 @@ input
   display: flex
   justify-content: center
   align-items: center
+  font-size: 1.1rem
   width: 48px
   height: 48px
   margin-top: 5px
@@ -392,7 +393,7 @@ input
   width: 60px
   height: 60px
   margin: 0
-  font-size: 1.5rem
+  font-size: 1.6rem
   border-radius: 48px
   z-index: 1
 
@@ -470,6 +471,7 @@ input
     display: inline-flex
     align-items: center
     justify-content: center
+    font-size: 1.1rem
     width: 30px
     height: 30px
     border-radius: 50%
@@ -539,19 +541,17 @@ dialog
     overflow-y: auto
 
     .content
-      min-width: 100%
       padding: 4px 1rem
       border-radius: 1rem
 
 #note-popup-box
-  font-size: .9rem
-
   .popup
     max-width: 1300px
 
   .content
     input,
     textarea
+      font-size: 1rem
       padding: 0
       border: none
       border-radius: 0
@@ -716,7 +716,7 @@ dialog
   justify-content: center
   align-items: center
   top: 50svh
-  font-size: 1.5rem
+  font-size: 1.6rem
   border-radius: 48px
   width: 75px
   height: 75px

src/index.php

@@ -340,7 +340,7 @@
                         <div class="close">
                             <i class="fa-solid fa-xmark"></i>
                         </div>
-                        <div class="row bold">
+                        <div id="user-name" class="row bold">
                             <?= htmlspecialchars($name, ENT_QUOTES, 'UTF-8') ?>
                         </div>
                         <div class="row">