search

Real-Dev-Squad / website-backend

The backend code for all our website-related apps
https://api.realdevsquad.com/
MIT License
54 stars 255 forks source link

[RFC] Restrict modification of sensitive data in user model. #1497

Open Ajeyakrishna-k opened 1 year ago

Ajeyakrishna-k commented 1 year ago

Problem statement

Currently any user registered with RDS can modify their own roles/sensitive data using an API and this updates the user model in our DB. This is a security risk as most of our websites filter content based on the roles received from the same user model. Also user can update their own discord ID after being verified.

Impact:

Known places where the endpoint is currently being used:

  1. User Profile page - my-site.
  2. signup page - my-site.
  3. Authorise discord page - my-site.

    Proposed work

Implement a new user update flow where user is not allowed to update their roles and other sensitive information.

Success criteria

Solutions

Solution 1:

Update the validator for this particular route so that it doesn't allow users to update their own restricted data.

Solution 2:

As a stopgap solution, whenever this endpoint updates any sensitive user data and if it's used by someone other than super user then we will archive the user.

Solution 3:

Create a Data-Access module to restrict access to read and write to user model. This module should intercept both request and response of a route and filter it based on the userid received from the authentication token.

Solution 4:

Develop a Role Bases Access control (RBAC). Where we store sensitive information in a different table/document.

iamitprakash commented 1 year ago

@Aryex82 as discussed please get the details and update the FRC

iamitprakash commented 1 year ago

@Aryex82 solution3 looks good to me, i hope you will consider like super user can update details