search

stockpile-co / api

The API for Stockpile, an app that manages stuff for organizations.
0 stars 1 forks source link

Registration allows any user to specify roleId #278

Closed SamuelColacchia closed 6 years ago

SamuelColacchia commented 7 years ago

API accepts both a roleID and a organizationID with out performing any authentication.

This may cause unintended security side effects.

Post to API - auth/register

{"key":"email","value":"admin2@admin.co"},
{"key":"password","value":"somepass"},
{"key":"organizationID","value":"1"},
{"key":"roleID","value":"1","description":""},
{"key":"firstName","value":"admin test"},
{"key":"lastName","value":"admin test"}

Response from - auth/register

{
    "userID": 1567,
    "email": "admin2@admin.co",
    "firstName": "admin test",
    "lastName": "admin test",
    "organizationID": 1,
    "role": "Administrator"
}
AdamVig commented 7 years ago

@SamuelColacchia Thank you for letting us know.

I need to rethink the security on that endpoint. It only needs to be used from stockpileapp.co/subscribe, so I could implement CORS to restrict the route to only requests from that domain.

CORS is enabled by default in Restify, so I may have broken it at one point, possibly in ./controllers/options.js.