User authentication using Passport
up vote
1
down vote
favorite
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
asked Nov 8 '17 at 7:30
Tomer R
61
add a comment |
up vote
1
down vote
favorite
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
asked Nov 8 '17 at 7:30
Tomer R
61
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 at 8:23
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
asked Nov 8 '17 at 7:30
Tomer R
61
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
asked Nov 8 '17 at 7:30
Tomer R
61
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
asked Nov 8 '17 at 7:30
Tomer R
61
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
edited Nov 12 '17 at 0:53
Jamal♦
30.2k11115226
30.2k11115226
asked Nov 8 '17 at 7:30
Tomer R
61
asked Nov 8 '17 at 7:30
Tomer R
61
asked Nov 8 '17 at 7:30
Tomer R
61
61
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 at 8:23
add a comment |
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 at 8:23
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 at 8:23
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 at 8:23
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f179890%2fuser-authentication-using-passport%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
add a comment |
up vote
0
down vote
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
add a comment |
up vote
0
down vote
up vote
0
down vote
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
answered Nov 12 '17 at 0:46
James
47227
answered Nov 12 '17 at 0:46
James
47227
answered Nov 12 '17 at 0:46
James
47227
47227
add a comment |
add a comment |
Thanks for contributing an answer to Code Review Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f179890%2fuser-authentication-using-passport%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 at 8:23