The preHandler stage of the request lifecycle handles after parsing, so the inputs of the route are exposed to a malicious user. Suggest this be changed to
Hi @ramipellumbi, thank you for opening an issue. Is there a specific threat here? Regardless, I agree that we should move auth to be as early as possible—could you open a PR to make this change?
When registering the routes:
The
preHandler
stage of the request lifecycle handles after parsing, so the inputs of the route are exposed to a malicious user. Suggest this be changed to