kasvith
commented
5 years ago Hi, @BorysTyminski can you do a PR fixing the issue :)
Open d0peCode opened 5 years ago
kasvith
commented
5 years ago Hi, @BorysTyminski can you do a PR fixing the issue :)
d0peCode
commented
5 years ago How we want to solve this? I think admin should be only created by another admin. However at the start we don't have any admins.
Maybe we should have two other collections for user and admin? I also for sure would like to add email confirmation after registration and maybe IP saving on login and registration as it's very common.
I think this is pretty serious vulnerability. If some developer will use this boilerplate and didn't realize admin can be added by adding role to JSON which goes to API then potential cracker can access any admin endpoint.
kasvith
commented
5 years ago I think we need to support a default admin. Then he can only add other admins
This is pretty common in most products
d0peCode
commented
5 years ago You still want to have admins and users in one collection? I think we should split them to two different mongo collection and then rename auth.controller.js to user.controller.js and also create user.route.js and refactor auth.route.js to contain only this demonstration "/secret" routes.
d0peCode
commented
5 years ago I'm about to create new PR with fix but it will contain lots of changes and I actually splited users and admin to two collections.
kasvith
commented
5 years ago You are good to go
Currently new admin can be added by anyone.