search

fedect1 / graduation-project-fedect1

graduation-project-fedect1 created by GitHub Classroom
MIT License
1 stars 0 forks source link

#Security #Session Hide crucial information as best as u can #14

Open Dr4gon opened 1 year ago

Dr4gon commented 1 year ago

@fedect1 I wouldn't give out a userId in the REST path because it's the primary identifier for every action within the app. I.e. someone technically versed might misuse that to do operations for that user or retrieve more details. Send the userId at least hidden with the request parameters.

To completely hide that information you would use JSON Web Token that only transfers an encrypted session token that u decode in the backend to verify the user and validity of the session.

postHandler.js

   actions: {
    async fetchPosts() {
      this.posts = (await axios.get('/posts')).data
    },
    async fetchPostById(postId) {
      this.post = (await axios.get(`/posts/${postId}`)).data
    },
    async createPost(bodyPost) {
      this.post = (await axios.post('/posts', { bodyPost })).data
    },
    async createComment(postId, text, user) {
      this.comment = (await axios.post(`/posts/${postId}/comments`, { text, user })).data
    },
    async fetchComments(postId) {
      this.comments = (await axios.get(`/posts/${postId}/comments`)).data
    },
    async likePost(postId, userId) {
      this.like = (await axios.post(`/posts/${postId}/likes`, { userId })).data
    },
    async dislikePost(postId, userId) {
      this.like = (await axios.delete(`/posts/unlike/${postId}/${userId}`)).data
    },
    async deletePost(postId, userId) {
      await axios.delete(`/posts/${postId}/${userId}`)
    },
    async deleteComment(postId, commentId, userId) {
      await axios.delete(`/posts/${postId}/comments/${commentId}/${userId}`)
    }
  }