From d45c1d68592a0bc905fa048f2fbff69642e8df57 Mon Sep 17 00:00:00 2001
From: Henry Tu <henry@henrytu.me>
Date: Thu, 5 Jan 2023 17:30:03 -0500
Subject: [PATCH] Fixed bug where global variable in `validateGroup` was
 mutated after every call to the middleware function, causing a "memory leak"
 in a sense.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The bug was a result of the admin role being pushed to the `group` array every time an endpoint using that particular validator was invoked. The fix for this was to move these operations outside the closure, since they really only need to be executed once.

This bug isn't particularly dangerous on face level, but if someone were to spam the API then the server could potentially start running out of memory.

Reproducing the bug from an account without proper authorization to use an endpoint:
```
$ curl 'https://root.treehacks.com/api/judges'  ...
Unauthorized; user is not in group admin,admin,admin,admin,admin,admin,admin,admin,admin,admin,admin,admin.%
$ curl 'https://root.treehacks.com/api/judges'  ...
Unauthorized; user is not in group admin,admin,admin,admin,admin,admin,admin,admin,admin,admin,admin,admin,admin.%
```
Notice how the number of `admin`s gets a bit longer? That doesn't look right 🧐
---
 backend/router/authenticatedRoute.ts | 58 ++++++++++++++--------------
 1 file changed, 30 insertions(+), 28 deletions(-)

diff --git a/backend/router/authenticatedRoute.ts b/backend/router/authenticatedRoute.ts
index dcc3a195..475c71a7 100644
--- a/backend/router/authenticatedRoute.ts
+++ b/backend/router/authenticatedRoute.ts
@@ -39,46 +39,48 @@ authenticatedRoute.param('userId', (req, res, next, userId) => {
 });
 
 
-const validateGroup = (group, allowAnonymous = false, allowNoGroupMatching = false) => (req, res, next) => {
+const validateGroup = (group, allowAnonymous = false, allowNoGroupMatching = false) => {
   // Allow either a single group or multiple valid groups passed as an array
   if (!Array.isArray(group)) { group = [group]; }
 
   group = group.filter(e => ALLOWED_GROUPS.indexOf(e) > -1);
-  
+
   group.push("admin"); // admins have access to all routes.
 
-  let accessTokenFromClient = req.headers.authorization;
+  return (req, res, next) => {
+    let accessTokenFromClient = req.headers.authorization;
 
-  cognitoExpress.validate(accessTokenFromClient, function (err, response) {
-    if (err) {
-      if (allowAnonymous) {
-        res.locals.user = {};
-        next();
-        return;
+    cognitoExpress.validate(accessTokenFromClient, function (err, response) {
+      if (err) {
+        if (allowAnonymous) {
+          res.locals.user = {};
+          next();
+          return;
+        }
+        else {
+          return res.status(401).send(err);
+        }
       }
-      else {
-        return res.status(401).send(err);
-      }
-    }
-    res.locals.user = response;
-    if (res.locals.user['cognito:groups'] && group.some(g => res.locals.user['cognito:groups'].indexOf(g) !== -1)) {
-      next();
-    }
-    else {
-      if (allowNoGroupMatching) {
-        next();
-        return;
-      }
-      if (allowAnonymous) {
-        res.locals.user = {};
+      res.locals.user = response;
+      if (res.locals.user['cognito:groups'] && group.some(g => res.locals.user['cognito:groups'].indexOf(g) !== -1)) {
         next();
-        return;
       }
       else {
-        return res.status(403).send("Unauthorized; user is not in group " + group  + ".");
+        if (allowNoGroupMatching) {
+          next();
+          return;
+        }
+        if (allowAnonymous) {
+          res.locals.user = {};
+          next();
+          return;
+        }
+        else {
+          return res.status(403).send("Unauthorized; user is not in group " + group  + ".");
+        }
       }
-    }
-  });
+    });
+  }
 }
 
 export const adminRoute = express.Router();