Search code examples
gungundb

GUN node added with SEA (gun.user()) not secure?

After creation a new user, auth and adding some data. In second browser one can easily delete the data... What am I doing wrong?

First browser (Firefox private window):

<!doctype html>
<meta charset="utf-8">
<body>
    <script src="https://cdn.jsdelivr.net/npm/gun/gun.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/gun/sea.js"></script>
    <script>
        localStorage.clear()
        var gun = Gun({ peers: ['http://localhost:8765/gun'] });
        var user = gun.user();
        user.create('u1','p1',()=>{
            user.auth('u1','p1', ()=>{
                user.set({some:'thing'}).on(() => {})
            })
        })
    </script>
</body>
</html>

Second (Chrome incognito):

<!doctype html>
<meta charset="utf-8">

<body>
    <script src="https://cdn.jsdelivr.net/npm/gun/gun.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/gun/sea.js"></script>
    <script>
        localStorage.clear()
        var gun = Gun({ peers: ['http://localhost:8765/gun'] });
        gun.on()
    </script>

</body>

</html>

Peer on port 8765 started with http.js from examples.

After this in the second browser in the storage localStorage.getItem('gun/') I get nodes prefixed with undefined like: undefined~@u1 and undefinedSoulfofsomething I also can delete content with gun.get('Soulofsomething').put({some:null}). If this is normal behavior, how to protect data from attack? Only option is bulletcatcher?

Solution

  • EDIT:

    This should now be fixed in latest GUN 0.2020.421!

    @brezyl thank you for bringing up this issue, if you are seeing undefined~@... that definitely looks like a bug and that the data is not saving to where it should be saving (the protected user space).

    I'll check into this urgently, I'll also send a notice out to the community if anybody is experiencing the same.

    Until then, yes, please use a different version of GUN & SEA, or assume undefined is indication of erros/bugs going on resulting in security loss.

    Updates:

    @brezyl Update: So far I'm noticing that .put( seems to be OK, primitive value .set( seem OK, but .set(object NOT OK OR SAFE. Investigating further.

    @brezyl update: I have found 2 ways to fix it, and will be doing both to add extra failsafes. Hopefully will be publishing ASAP (tests/review may take a while).