apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-04-26 17:26:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix auth bypass on picker endpoint, async safety, and picker error handling

Browse source 
- Add check_permission to drive-picker-token endpoint (IDOR fix)
- Use get_composio_service singleton + asyncio.to_thread to avoid blocking the event loop
- Sanitize error detail in 500 response to prevent internal info leakage
- Dispose picker on unmount to prevent orphaned overlay
- Surface error state on Google Picker Action.ERROR instead of silently closing
This commit is contained in:
CREDO23 2026-03-10 23:21:35 +02:00
parent 3bda6c1679
commit cf8f70da2b
2 changed files with 33 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

27
surfsense_web/hooks/use-google-picker.ts
View file

@ -87,7 +87,14 @@ export function useGooglePicker({ connectorId, onPicked }: UseGooglePickerOption
}
};
window.addEventListener("keydown", onEscape);
return () => window.removeEventListener("keydown", onEscape);
return () => {
window.removeEventListener("keydown", onEscape);
if (pickerRef.current) {
pickerRef.current.dispose();
pickerRef.current = null;
}
openingRef.current = false;
};
}, [closePicker]);
const openPicker = useCallback(async () => {
@ -147,13 +154,17 @@ export function useGooglePicker({ connectorId, onPicked }: UseGooglePickerOption
}
}
if (
action === google.picker.Action.PICKED ||
action === google.picker.Action.CANCEL ||
action === google.picker.Action.ERROR
) {
closePicker();
}
if (action === google.picker.Action.ERROR) {
setError("Google Drive encountered an error. Please try again.");
}
if (
action === google.picker.Action.PICKED ||
action === google.picker.Action.CANCEL ||
action === google.picker.Action.ERROR
) {
closePicker();
}
})
.build();