valentinkononov
commented
4 years ago Hi,
Yes, there is a case. Basically it's not critical.
req.user is decrypted automatically from token, standard JWT header. Payload - basic user information (id, role).
(so stored in header, something link this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjIiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiQFVzZXIiLCJyb2xlIjoidXNlciIsIm5iZiI6MTU2NDA2MTQ1NywiZXhwIjoxNTk1NjgzODU3LCJpc3MiOiJpc3N1ZXJfc2FtcGxlIiwiYXVkIjoiYXVkaWVuY2Vfc2FtcGxlIn0.xAAbQIOsw3ZXlIxDFnv5NynZy7OfzrvrJYWsy2NEBbA)
Greetings,
on nodejs + ecomm version, I found that editing the current user is taking the id from the body, not from req.user.id. on the postman, managed to change the information for any user.
router.put('/current', (req, res) => { userService .editUser(req.body) .then(user => res.send(user)); });
by the way, where the req.user is saved? can a hacker manipulate it? is it safe to take the information from it like depending on the role come from it.
in my case i build a checker afret auth, check the user role to allow him to perform the operation.
router.delete('/:id', authService.roleAuthorization(['admin']),(req, res) => { userService .deleteUser(req.params.id) .then(() => res.send({ id: req.params.id })) .catch(err => res.send(err)); });
on roleAuthorization, I check the req.role
Thanks