Open Aryaman1706 opened 3 years ago
anandbaburajan
commented
3 years ago Hey @Aryaman1706! Thanks for opening this issue! We had thought about validation but didn't think much on the security aspect. Can you check out my comments at RocketMeet/RocketMeet-client#159 too and let us know what you think here? Also, do you find any vulnerabilities in our API already? Thanks again!
Aryaman1706
commented
3 years ago Hey @AnandBaburajan ! I read that discussion and I somewhat agree that mongoose validators could do the job, but don't you think that in case of an invalid request body, we should not allow the data to reach the saving stage as mongoose validators are pre-save hooks? I think we should keep validation of request as a separate step, this way we could save on some unnecessary operations being performed and would be able to deliver intuitive error messages to users. Also if you use something like yup, we could also reuse the validation schema on react side as well with formik for validating it there and then.
I have not tested the API thoroughly, I am gonna do it tonight and would get back if I found some issues. Meanwhile here are some I found:-
vote.choices.every is not a function. Though this is will fall in catch block but the message is not clear for an average user.Thanks a lot for addressing the raised issue so soon and I would love to discuss the issue further.
anandbaburajan
commented
3 years ago don't you think that in case of an invalid request body, we should not allow the data to reach the saving stage as mongoose validators are pre-save hooks? I think we should keep validation of request as a separate step, this way we could save on some unnecessary operations being performed and would be able to deliver intuitive error messages to users.
I agree, validattion would be good. But since the only user of this API would be the RM-client, do you suggest handling the necessary validation only at the client provided the server handles all the edge cases like the ones you mentioned?
- Here if we do not provide the field of encryptedEmailID, we would get an error like can not make Buffer from undefined (inside decrypt function) and this statement is not inside trycatch block so this might break the API.
Good catch, thanks! You're welcome to fix it.
Thanks a lot for addressing the raised issue so soon and I would love to discuss the issue further.
Thanks for your thoughts! :D please let me know what you think!
Aryaman1706
commented
3 years ago I agree, validation would be good. But since the only user of this API would be the RM-client, do you suggest handling the necessary validation only at the client provided the server handles all the edge cases like the ones you mentioned?
Good catch, thanks! You're welcome to fix it
Sure, I am on it. Would soon raise a PR to fix the same.
Thanks a lot.
anandbaburajan
commented
3 years ago a self-contained API would go a long way as it could be integrated easily with a discord/slack bot or a chrome extension
Good point, makes sense, thanks! You're welcome to go ahead with validation. :D
anandbaburajan
commented
2 years ago Update: our API endpoints are now inside pages/api.
Feature Request
Advantages
Implementation
Additional Context