Closed claudiosegala closed 4 years ago
eabili0
commented
4 years ago @claudiosegala, sorry but I didn't see any validation on the back end with regards to the prevention of new registration with already used username. Returning the error directly from the db to the frontend without any treatment, can lead to security breaches. Could you please improve that? Thanks!
eabili0
commented
4 years ago I would like to see here a more "active" validation. On registration, we should actively go to the db and try to get a credential with the provided username. If non existent, we continue with the registration. If not, we return a "user-friendly" error message indicating the username has already been taken. @claudiosegala Please make sure that generic db error messages are being only logged and are returned as "internal server error - 500" to the client.
claudiosegala
commented
4 years ago @claudiosegala, sorry but I didn't see any validation on the back end with regards to the prevention of new registration with already used username. Returning the error directly from the db to the frontend without any treatment, can lead to security breaches. Could you please improve that? Thanks!
Could you please specify more where I return the error directly from the db to the front-end?
claudiosegala
commented
4 years ago I would like to see here a more "active" validation. On registration, we should actively go to the db and try to get a credential with the provided username. If non existent, we continue with the registration. If not, we return a "user-friendly" error message indicating the username has already been taken. @claudiosegala Please make sure that generic db error messages are being only logged and are returned as "internal server error - 500" to the client.
Updated the PR with a more active validation.
eabili0
commented
4 years ago Since we have the error middleware, any errors from the db would already be sent to the frontend as "500 - internal server error". So my mistake here. Thanks for your contribution!
Solving #27