Fix(users): Don't update secure profile fields #1421
Conversation
Avoid updating secure fields as password, salt ..etc through user profile update. Fixes meanjs#1420
|
|
||
| // For security measurement do not use _id from the req.body object | ||
| delete req.body._id; | ||
| var secureFields = ['firstName', 'lastName', 'email', 'username']; |
There was a problem hiding this comment.
The naming here is a little confusing. It sounds like these are the fields that are not allowed.
There was a problem hiding this comment.
Yeas :). whitelist would be far better.
|
Thank you for taking the initiative & submitting this PR. And for the added test :) I'm a little unsure of this solution though. I think a better solution would be to maintain two lists at the top level of this server controller.
We can keep the line with WDYT? |
|
@mleanos I took the black list approach because if request contains some invalid fields like makes |
|
What do you think about having a function(s) defined in the server controller, that "cleans" the user object coming in from You may end up with something like this for when we receive a user object from the request: // only extend with fields we want to accept from the request
user = _.extend(user, whitelistedUser(req.body));EDIT: and for returning to the client: // only send fields that are safe to be sent back to the client
res.json(sanitizedUser(user));Thoughts on this approach? My understanding is that Mongoose won't update fields that aren't present in the model definition. Unless, it's an object field (dynamic?) with no strict definitions. |
|
That looks better. |
shanavas786
force-pushed
the
fix-profile-update
branch
from
2a8082b to
9a412e1
Compare
|
I think this is good now. Thanks. @meanjs/contributors Any feedback? |
|
Looks good, thanks @mleanos and @shanavas786 |
Avoid updating secure fields as password, salt ..etc through
user profile update.
Fixes #1420