Fix LeanCloud Counter Plugin Security Vulnerability
Before you make the config, please upgrade your NexT version to v6.0.6 or greater.
Please note the difference between **site config file** and **theme config file**
---
# Sign up to LeanCloud and create an app
- Go to LeanCloud website [leancloud.app](https://leancloud.app) and sign up to LeanCloud. Then login.
- Click `1` to enter the console:
- Then click `1` to create an app:
- Type your app name in `1` in the pop up window(eg. "test"), then choose `2`, which means developer's plan, and then click `3` to create the app:
# Create Counter class and enable plugin in NexT
- Click `1` (app name) to enter the app manage page:
- then click `1` to create a class for counter:
- Type `Counter` in the pop up window in `1`, check `2`, then click `3`:
- Click `1` to enter the app setting, then click `2`:
- Paste `App ID` and `App Key` to **theme config file** `_config.yml` like this:
```yml
leancloud_visitors:
enable: true
app_id: #
app_key: #
# Required for apps from CN region
server_url: #
# Dependencies: https://github.com/theme-next/hexo-leancloud-counter-security
security: true
```
- Set domain whitelist: Click `1`, then type your domain into `2` (**protocol, domain and port should be exactly the same**):
# Deploy web engine to avoid your data being changed illegally
- Click `1 -> 2 -> 3` by order
- Click `1`:
- In the pop up window, click `1` to choose type `Hook`, then choose`beforeUpdate` in `2`, choose `Counter` in `3`. Paste code below into `4`, then click `5` to save it:
```javascript
var query = new AV.Query("Counter");
if (request.object.updatedKeys.includes('time')) {
return query.get(request.object.id).then(function (obj) {
if (obj.get("time") > request.object.get("time")) {
throw new AV.Cloud.Error('Invalid update!');
}
return request.object.save();
});
}
```
- Click `1` to deploy after the message in the red rect shows up:
- Click `1` in the pop up:
- Click `1` to close the pop up window after the message in the red rect shows up:
# Set access control for your database
- Open **theme config file** `_config.yml`, set `leancloud_visitors: security` to `true`:
```yml
leancloud_visitors:
enable: true
app_id: #
app_key: #
# Required for apps from CN region
server_url: #
# Dependencies: https://github.com/theme-next/hexo-leancloud-counter-security
security: true
```
- Open cmd then switch to **root path of site**, type commands to install `hexo-leancloud-counter-security` plugin:
```
npm install hexo-leancloud-counter-security
```
- Open **site config file** `_config.yml`, add those config:
```yml
leancloud_counter_security:
enable_sync: true
app_id:
app_key:
username:
password:
```
- Type command:
```
hexo lc-counter register
```
or
```
hexo lc-counter r
```
Change `` and `` to your own username and password (no need to be the same as leancloud account). They will be used in the hexo deploying.
- Open **site config file** `_config.yml`, change `` and ``to those you set above:
```yml
leancloud_counter_security:
enable_sync: true
app_id:
app_key:
username: # will be asked while deploying if be left blank
password: # recommend to leave it blank for security, will be asked while deploying if be left blank
```
- Add the deployer in the `deploy` of **site config file** `_config.yml`:
```yml
deploy:
- type: git
repo: // your repo
...
- type: leancloud_counter_security_sync
```
- Return to the LeanCloud console. Click `1 -> 2`, check if there is a record added in the `_User` (the img below is using username "admin" for example):
- Click `1 -> 2 -> 3` by order:
- Click `1` (add_fields), then choose `2`: Do as below "create" setting(choose the user you create):
- click `1` (create), then choose `2`, type the username in `3`, then click `4 -> 5`:
Now your page should be similar to this img after finishing the step.
- Click `1` (delete), then choose `2`:
Now the bug is fixed.
---
See detailed version here: https://leaferx.online/2018/03/16/lc-security-en/