pyrohost
"Delete All Backups" does not actually check for valid password
Current Behavior
When you click "Delete All Backups" it requests you to provide a password before you can proceed with deleting all backups. Currently you can type anything you want and proceed with deletion of all backups.
Expected Behavior
It is supposed to check for valid password before deleting all backups.
Steps to Reproduce
- Create a backup
- Click "Delete All Backups"
- Type anything in password field
- Proceed with deleting all backups
Panel Version
Docker image: canary / canary-1e8410233aab68a2ac2b85904a8024b7c46a668e
Panel Installation Type
- [x] Official Panel Docker image.
- [ ] native install for Panel.
- [ ] I used a third party installation script or Docker image.
Wings Version
Docker image: dev / sha-22add55
Wings Installation Type
- [ ] Offical Docker image.
- [ ] Native install.
- [x] Pyrodactyl Elytra
- [x] Pterodacty Wings
- [ ] I used a third party installation script or Docker image.
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
Is there an existing issue for this?
- [x] I have searched the existing issues before opening this issue.
- [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
- [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Just tested deleting a single backup, same behavior. It is not checking for a valid password. As long as there is something typed, it will proceed with deleting it.
This was not what i expected to find at all
const handleDeleteAll = async () => {
if (!deleteAllPassword) {
toast.error('Password is required to delete all backups.');
return;
}
if (hasTwoFactor && !deleteAllTotpCode) {
toast.error('Two-factor authentication code is required.');
return;
}
setIsDeleting(true);
try {
const http = (await import('@/api/http')).default;
await http.delete(`/api/client/servers/${uuid}/backups/delete-all`, {
data: {
password: deleteAllPassword,
...(hasTwoFactor ? { totp_code: deleteAllTotpCode } : {}),
},
});
toast.success('All backups and repositories are being deleted. This may take a few minutes.');
setDeleteAllModalVisible(false);
setDeleteAllPassword('');
setDeleteAllTotpCode('');
// Websocket events will handle the UI updates automatically
} catch (error) {
toast.error(httpErrorToHuman(error));
} finally {
setIsDeleting(false);
}
};
No password verification even attempted... (as implied by success no matter what)
@ChecksumDev since you originally implemented this, was this meant to just check the same login password and 2FA code?
~~Just checked again, this seems to be just client-side? I'll fix the error then~~ or not, success is also shown before delete is done