search

CS3219-AY2324S1 / ay2324s1-course-assessment-g05

A collaborative technical interview preparation platform that is going to boost your interview performance!
MIT License
0 stars 3 forks source link

Update User Service `getUserById` endpoint to not return secrets #133

Closed tryyang2001 closed 1 year ago

tryyang2001 commented 1 year ago

The problem

Currently, auth service is using user service getUserById (and perhaps more endpoints) to verify if a user is valid, password matching, and etc. However, this is not a good practice. The issue is that we actually call getUserById a lot of time and we are not using password, passwordResetToken, etc. 

{
  "id": "Your Id",
  "name": "Your Name",
  "email": "youremail@domain.com",
  "role": "USER",
  "image": "http://your-image.png",
  "bio": "Your Bio",
  "gender": "MALE",
  "createdOn": "2023-10-17T15:30:30.751Z",
  "updatedOn": "2023-10-27T09:31:02.105Z",
  "isVerified": true,
  "password": "Your Password..." 
  "verificationToken": "",
  "passwordResetToken": null,
  "preferences": {
    "languages": [
      "C++"
    ],
    "topics": [
      "DYNAMIC PROGRAMMING"
    ],
    "difficulties": [
      "MEDIUM",
      "EASY"
    ]
  }
}

So, I plan to update getUserById to not return password, verificationToken, and passwordResetToken. I will update auth service and frontend accordingly as needed. The updated getUserById endpoint response should only return:

{
  "id": "clmlp93wz00007kbwvws8oynd",
  "name": "Your Nae",
  "email": "youremail@domain.com",
  "role": "USER",
  "image": "http://your-image.png",
  "bio": "Your Bio",
  "gender": "MALE",
  "createdOn": "2023-10-17T15:30:30.751Z",
  "updatedOn": "2023-10-27T09:31:02.105Z",
  "isVerified": true,
  "preferences": {
    "languages": [
      "C++"
    ],
    "topics": [
      "DYNAMIC PROGRAMMING"
    ],
    "difficulties": [
      "MEDIUM",
      "EASY"
    ]
  }
}
tlyi commented 1 year ago

That's a good idea! Thanks @tryyang2001! However, one issue I can think of now is that the frontend/src/components/profile/ChangePassword.tsx component on the frontend actually requires the password value in the user in order to verify if the old password is correct. I guess we can solve this by calling a different endpoint just for this page, or by letting the ChangePassword endpoint in auth handle this logic instead (downside is that the user will not get immediate feedback on the frontend until the submit button is pressed)

tryyang2001 commented 1 year ago

I see, yes we should create a separate endpoint in the user service for frontend to retrieve the password. Thanks for letting me know, this is very helpful! Then for auth service backend, we can directly access the database, this can reduce the coupling to the "database level" instead of the whole "user service" level.