User authentication using Passport
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
asked Nov 8 '17 at 7:30
Tomer R
61
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
asked Nov 8 '17 at 7:30
Tomer R
61
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 '18 at 8:23
add a comment |
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
asked Nov 8 '17 at 7:30
Tomer R
61
I'm currently building a Node/Express app using Passport for user authentication and Sequelize for database queries. It's a 'To-do list' app which currently has 3 models: User, List and Task. My back-end database calls are done using an API. My front-end uses AJAX to retrieve the data.
This is my first time using Passport for authentication, so I was wondering if there are any security problems in my current code. I am specifically concerned about Users being able to retrieve info about other Users by modifying the requests to my API.
Here is an example of an API call to create a List:
// Create list
router.post('/lists', isLoggedIn, (req, res) => {
models.List.build( { name: req.body.name, userId: req.user.id } ).save()
.then(list => {
res.send(list);
})
.catch(err => {
res.send(err);
});
});
// ... other API calls
function isLoggedIn(req, res, next) {
if (req.isAuthenticated())
return next();
res.redirect('/');
}
And the front-end function that calls it:
// Create list and open it
function addList(name) {
if (!name.length) return;
$.ajax({
type: "POST",
url: '/api/lists',
data: { name: name },
success: function(data)
{
window.location = "/lists/"+data.id;
}
});
}
I am 99% sure that this is a secure implementation, since it seems like any data sent in the POST request is contained within req.body, whereas req.user is generated by Express/Passport on the server side. However there is still the 1% of me that thinks it might be possible to modify req.user in the POST request and be able to get information about other Users.
Are my worries for nothing, or is there a better way to implement this?
javascript node.js express.js passport
javascript node.js express.js passport
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
asked Nov 8 '17 at 7:30
Tomer R
61
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
asked Nov 8 '17 at 7:30
Tomer R
61
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
edited Nov 12 '17 at 0:53
Jamal♦
30.3k11116226
30.3k11116226
asked Nov 8 '17 at 7:30
Tomer R
61
asked Nov 8 '17 at 7:30
Tomer R
61
asked Nov 8 '17 at 7:30
Tomer R
61
61
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 '18 at 8:23
add a comment |
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 '18 at 8:23
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 '18 at 8:23
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 '18 at 8:23
add a comment |
1 Answer
1
active
oldest
votes
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f179890%2fuser-authentication-using-passport%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
add a comment |
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
add a comment |
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
Given req.user is set at the server then, unless your server is compromised, you can ignore the 1%.
Relying on server-side user data is the correct approach - never trust the client.
answered Nov 12 '17 at 0:46
James
47227
answered Nov 12 '17 at 0:46
James
47227
answered Nov 12 '17 at 0:46
James
47227
answered Nov 12 '17 at 0:46
James
47227
47227
add a comment |
add a comment |
Thanks for contributing an answer to Code Review Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f179890%2fuser-authentication-using-passport%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What strategies (if any) are you using within passport? Without seeing more of how the server is setup it'd be hard to say, but I'd start with using Passport Bearer tokens (which I assume you're not as you're not sending headers in your AJAX call) and oAuth as an extension is pretty easy to implement for a decent security base for your API.
– AE Grey
Apr 11 '18 at 8:23