There are some extremely concerning security vulnerabilities in this project that even the weakest of hackers could exploit.
Is this product a ragebait/troll?
1) Account takeover of any user with just their email: POST /v1/account/recovery with any user's email, the API response gives you the plaintext recovery secret. Call PUT /v1/account/recovery with that secret + a new password. You now own their account. No email inbox access needed. Two curl commands.
2) Password hashes returned by the API: GET /v1/users with any API key returns every user's full argon2 hash, algorithm, and tuning parameters. tested and got $argon2id$v=19$m=65536,t=3,p=4$... for test@kraz.in.
3) CORS reflects any origin with credentials: Send Origin: https://evil.com to any endpoint — server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true. Any website on the internet can silently read authenticated API responses from logged-in users
There is literally like 50 more of these though. The author probably didn't spend more than 5 minutes on security hardening.
Nicely built.
Can you try running any sql query? Like "select count(*) from todos"? Seems connection limit has reached.
Also, tables are not getting listed as well. Just the cached ones are getting listed, that too go away within few seconds.
'Failed to execute SQL: too many connections for database "postgres"'
There are some extremely concerning security vulnerabilities in this project that even the weakest of hackers could exploit.
Is this product a ragebait/troll?
1) Account takeover of any user with just their email: POST /v1/account/recovery with any user's email, the API response gives you the plaintext recovery secret. Call PUT /v1/account/recovery with that secret + a new password. You now own their account. No email inbox access needed. Two curl commands.
2) Password hashes returned by the API: GET /v1/users with any API key returns every user's full argon2 hash, algorithm, and tuning parameters. tested and got $argon2id$v=19$m=65536,t=3,p=4$... for test@kraz.in.
3) CORS reflects any origin with credentials: Send Origin: https://evil.com to any endpoint — server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true. Any website on the internet can silently read authenticated API responses from logged-in users
There is literally like 50 more of these though. The author probably didn't spend more than 5 minutes on security hardening.
You know why connections have exhausted? Because I issued this: "ALTER DATABASE postgres CONNECTION LIMIT 0;"
Nice UI, but same security vulnerabilities as I've seen typically found in vibe-coded projects.