Security Vulnerability: Route validation occurs before auth

Blue9 / fastify-swagger-react-query

Minimal Fastify server template with docs and client generation

2 stars 0 forks source link

Security Vulnerability: Route validation occurs before auth #1

Open ramipellumbi opened 3 weeks ago

ramipellumbi commented 3 weeks ago

When registering the routes:

preHandler: routeSpec.auth !== false ? authenticate : undefined,

The preHandler stage of the request lifecycle handles after parsing, so the inputs of the route are exposed to a malicious user. Suggest this be changed to

preParsing: routeSpec.auth !== false ? authenticate : undefined,

Blue9 commented 2 weeks ago

Hi @ramipellumbi, thank you for opening an issue. Is there a specific threat here? Regardless, I agree that we should move auth to be as early as possible—could you open a PR to make this change?