diff options
| author | eug-vs <eug-vs@keemail.me> | 2020-07-05 13:27:49 +0300 |
|---|---|---|
| committer | eug-vs <eug-vs@keemail.me> | 2020-07-05 13:30:08 +0300 |
| commit | 8f48be5b879b1ae92937dfa1d1f37f08fb167dfa (patch) | |
| tree | 12975443bce44012283853d0444ab9e1a9862514 | |
| parent | 7b24ceaaece34dfe1057f432d00723e27d8c3ea9 (diff) | |
| download | which-api-8f48be5b879b1ae92937dfa1d1f37f08fb167dfa.tar.gz | |
feat: ensure users security
| -rw-r--r-- | services/users/users.hooks.ts | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts index 48843be..1b4be2b 100644 --- a/services/users/users.hooks.ts +++ b/services/users/users.hooks.ts @@ -1,7 +1,9 @@ import _ from 'lodash'; import { hooks } from '@feathersjs/authentication-local'; -import { discard } from 'feathers-hooks-common'; +import { discard, disallow } from 'feathers-hooks-common'; import { HookContext } from '@feathersjs/feathers'; +import { NotAuthenticated } from '@feathersjs/errors'; +import requireAuth from '../../hooks/requireAuth'; const hashPassword = hooks.hashPassword('password'); @@ -12,6 +14,13 @@ const ignoreCaseRegex = async (context: HookContext): Promise<HookContext> => { return context; }; +const compareUser = async (context: HookContext): Promise<HookContext> => { + if(context.arguments[0] != context.params.user._id) { + throw new NotAuthenticated('You can only PATCH/UPDATE your own user!'); + } + return context; +} + export default { after: { all: hooks.protect('password'), @@ -20,8 +29,9 @@ export default { before: { find: ignoreCaseRegex, create: hashPassword, - patch: hashPassword, - update: hashPassword + patch: [hashPassword, requireAuth, compareUser], + update: [hashPassword, requireAuth, compareUser], + remove: disallow('external') } }; |