13.4.2
Review the source code for /users/invite. Determine why it cannot be exploited.
- https://github.com/directus/directus/blob/v9.0.0-rc.34/api/src/controllers/users.ts
- The issue is located in authenticate.ts β> https://github.com/directus/directus/blob/v9.0.0-rc.34/api/src/middleware/authenticate.ts
if (!req.token) return next();- Does not error and passes execution to the next middleware
router.post(
'/invite',
asyncHandler(async (req, res, next) => {
const { error } = inviteSchema.validate(req.body);
if (error) throw new InvalidPayloadException(error.message);
const service = new UsersService({
accountability: req.accountability,
schema: req.schema,
});
await service.inviteUser(req.body.email, req.body.role);
return next();
}),
respond
);
async inviteUser(email: string | string[], role: string) {
const emails = toArray(email);
for (const email of emails) {
await this.service.create({ email, role, status: 'invited' });
const payload = { email, scope: 'invite' };
const token = jwt.sign(payload, env.SECRET as string, { expiresIn: '7d' });
const acceptURL = env.PUBLIC_URL + '/admin/accept-invite?token=' + token;
await sendInviteMail(email, acceptURL);
}
}
- This sends an email to a userβs email containing the invitation link, and does not return anything to the user who accessed this endpoint. As such, it cannot be exploited.