search

deitch / cansecurity

nodejs/expressjs authentication and security library
MIT License
150 stars 53 forks source link

Convert IDs to the same type for comparison. #8

Closed socketwiz closed 9 years ago

socketwiz commented 9 years ago

When I use the api restrictToSelfOrRoles I end up here:

https://github.com/deitch/cansecurity/blob/master/lib/authorization.js#L20

and the comparison fails for me because on the left I have an integer and on the right I have a string. The string contains the integer value but since its not converted to an integer the test fails. I took the liberty of creating this PR to address it but this might be one of the differences between an express app and a restify app. For example, restify doesn't seem to have a param method on the req object. My first inclination was to fix this line such that if the param method was not available, fallback to the params (note the S) object which is available in restify. Then I came up with what I thought might be a better option, which was to simply add a param method to the restify req through middleware, so thats what I did. I basically "borrowed" the param method from express and glued it into restify:

https://gist.github.com/socketwiz/9c142302c1b8fc7fceb6

That leaves me with the problem I've addressed here. This PR fixes my problem, but I'm not sure what implications it would have on the project as a whole. Comments? Ideas?

deitch commented 9 years ago

This is interesting.

I have two concerns with this solution.

  1. What if the 2 items are not integers? IDs could be strings (I personally like using UUIDs or shortened versions of them, but to each their own).
  2. What if the param() method you provided isn't available?

The second problem can be solved by making cansecurity entirely tested and functioning under restify. I would like to get that done.

The first is the more pertinent question. req.param() will always return a string, since that is what every framework treats query params and path parts as. Are you saying that when the validation is done, and it returns the user object, the ID field is an integer?

I like the idea of parseInt, but since there is no way for the framework to know if we are dealing with int or string, maybe the other way around? Instead of parseInt, we should convert both of them to strings, to be safe? After all, a string a = "abc"; a.toString(); will still give "abc", while a=25; a.toString(); will give "25", so it is safe.

deitch commented 9 years ago

Yes. I just changed the tests to have the user ID for the first user to be 1 (integer) instead of "1" (string). They fail with the same issue. Then added the .toString() on the L20 comparison and it works. I am bumping number and pushing out. Thanks for bringing this up!

v0.6.17

deitch commented 9 years ago

The tests have all been updated to test for restify, and I included a version of your req.param() in there so it works cleanly.

socketwiz commented 9 years ago

Thanks for the quick reply. Yeah I wasn't sure about how you might want to handle the strings, parseInt worked for me, but I had a feeling you might go the other way. I just tested your update and it works great for me.

deitch commented 9 years ago

Great! Glad it worked, and now cansecurity has a broader range of use cases.