From b3ef075e54f18c4785910887a7e2478c8121b382 Mon Sep 17 00:00:00 2001 From: Caleb Bae Date: Wed, 29 Apr 2026 15:56:48 -0500 Subject: [PATCH 1/2] Reject empty QR codes to close signup auth bypass --- server/router/admin.go | 9 +++++---- server/router/judge.go | 19 ++++++++----------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/server/router/admin.go b/server/router/admin.go index ec539ad..f3bf4ad 100644 --- a/server/router/admin.go +++ b/server/router/admin.go @@ -632,8 +632,8 @@ func CheckQRCode(ctx *gin.Context) { return } - // Send OK if QR code is right - if options.QRCode == qrReq.Code { + // Send OK or reject empty values + if qrReq.Code != "" && options.QRCode != "" && options.QRCode == qrReq.Code { ctx.JSON(http.StatusOK, gin.H{"ok": 1}) } else { ctx.JSON(http.StatusOK, gin.H{"ok": 0}) @@ -663,8 +663,9 @@ func CheckTrackQRCode(ctx *gin.Context) { return } - // Send OK if QR code is right - if options.TrackQRCodes[track] == qrReq.Code { + // Send OK or reject empty values + expected := options.TrackQRCodes[track] + if qrReq.Code != "" && expected != "" && expected == qrReq.Code { ctx.JSON(http.StatusOK, gin.H{"ok": 1}) } else { ctx.JSON(http.StatusOK, gin.H{"ok": 0}) diff --git a/server/router/judge.go b/server/router/judge.go index cd7da51..6572a39 100644 --- a/server/router/judge.go +++ b/server/router/judge.go @@ -1052,17 +1052,14 @@ func AddJudgeFromQR(ctx *gin.Context) { return err } - // Make sure the code is correct - if qrReq.Track == "" { - if qrReq.Code != options.QRCode { - ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid QR code"}) - return err - } - } else { - if qrReq.Code != options.TrackQRCodes[qrReq.Track] { - ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid QR code"}) - return err - } + // Make sure the code is correct and reject empty code + expectedCode := options.QRCode + if qrReq.Track != "" { + expectedCode = options.TrackQRCodes[qrReq.Track] + } + if qrReq.Code == "" || expectedCode == "" || qrReq.Code != expectedCode { + ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid QR code"}) + return err } // Check if the judge already exists From 25aee0321f5c704f5734e45695e305f40fb03b61 Mon Sep 17 00:00:00 2001 From: Caleb Bae Date: Wed, 29 Apr 2026 16:12:33 -0500 Subject: [PATCH 2/2] fix: empty token auth bypass --- server/database/judge.go | 4 ++++ server/router/middleware.go | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/server/database/judge.go b/server/database/judge.go index 205e313..e6c0b0d 100644 --- a/server/database/judge.go +++ b/server/database/judge.go @@ -41,7 +41,11 @@ func FindJudge(db *mongo.Database, ctx context.Context, id primitive.ObjectID) ( // FindJudgeByToken finds a judge by their token. // Returns judge as nil if no judge was found. +// Rejects empty tokens to prevent matching pre-login judges (Token defaults to "" in NewJudge). func FindJudgeByToken(db *mongo.Database, token string) (*models.Judge, error) { + if token == "" { + return nil, nil + } var judge models.Judge err := db.Collection("judges").FindOne(context.Background(), gin.H{"token": token}).Decode(&judge) if err == mongo.ErrNoDocuments { diff --git a/server/router/middleware.go b/server/router/middleware.go index e1100ce..ad51dc0 100644 --- a/server/router/middleware.go +++ b/server/router/middleware.go @@ -27,6 +27,10 @@ func AuthenticateJudge() gin.HandlerFunc { // Extract the token token := authHeader[7:] + if token == "" { + no("Invalid Authorization header, empty token", ctx) + return + } // Make sure the token is valid (check for judge in database) state := GetState(ctx)