Merge pull request #17 from which-ecosystem/security

Prepare release-level backend security

4 files changed, 45 insertions, 6 deletions

diff --git a/services/feedback/feedback.hooks.ts b/services/feedback/feedback.hooks.ts
index 56e9000..5bc2552 100644
--- a/services/feedback/feedback.hooks.ts
+++ b/services/feedback/feedback.hooks.ts
@@ -1,9 +1,30 @@
+import { populate, discard, disallow } from 'feathers-hooks-common';
 import requireAuth from '../../hooks/requireAuth';
 import signAuthority from '../../hooks/signAuthority';
+import sortByDate from '../../hooks/sortByDate';
+
+
+const populateAuthor = populate({
+  schema: {
+    include: {
+      service: 'users',
+      nameAs: 'author',
+      parentField: 'authorId',
+      childField: '_id'
+    }
+  }
+});
 
 export default {
   before: {
-    create: [requireAuth, signAuthority]
+    create: [requireAuth, signAuthority],
+    find: sortByDate,
+    remove: disallow('external'),
+    patch: disallow('external'),
+    update: disallow('external')
+  },
+  after: {
+    all: [populateAuthor, discard('authorId')]
   }
 };
 
diff --git a/services/polls/polls.hooks.ts b/services/polls/polls.hooks.ts
index e3d04e7..35eae29 100644
--- a/services/polls/polls.hooks.ts
+++ b/services/polls/polls.hooks.ts
@@ -1,4 +1,5 @@
 import { HookContext } from '@feathersjs/feathers';
+import { disallow } from 'feathers-hooks-common';
 import { Types } from 'mongoose';
 import bluebird from 'bluebird'; import _ from 'lodash';
 import { Poll } from 'which-types';
@@ -46,7 +47,10 @@ const convertPoll = async (context: HookContext): Promise<HookContext> => {
 export default {
   before: {
     find: sortByDate,
-    create: signAuthority
+    create: signAuthority,
+    remove: disallow('external'),
+    update: disallow('external'),
+    patch: disallow('external')
   },
   after: {
     all: convertPoll
diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts
index 48843be..125f418 100644
--- a/services/users/users.hooks.ts
+++ b/services/users/users.hooks.ts
@@ -1,7 +1,9 @@
 import _ from 'lodash';
 import { hooks } from '@feathersjs/authentication-local';
-import { discard } from 'feathers-hooks-common';
+import { discard, disallow } from 'feathers-hooks-common';
 import { HookContext } from '@feathersjs/feathers';
+import { NotAuthenticated } from '@feathersjs/errors';
+import requireAuth from '../../hooks/requireAuth';
 
 const hashPassword = hooks.hashPassword('password');
 
@@ -12,6 +14,13 @@ const ignoreCaseRegex = async (context: HookContext): Promise<HookContext> => {
   return context;
 };
 
+const compareUser = async (context: HookContext): Promise<HookContext> => {
+  if (context.arguments[0] !== context.params.user._id) {
+    throw new NotAuthenticated('You can only PATCH/UPDATE your own user!');
+  }
+  return context;
+};
+
 export default {
   after: {
     all: hooks.protect('password'),
@@ -20,8 +29,9 @@ export default {
   before: {
     find: ignoreCaseRegex,
     create: hashPassword,
-    patch: hashPassword,
-    update: hashPassword
+    patch: [hashPassword, requireAuth, compareUser],
+    update: [hashPassword, requireAuth, compareUser],
+    remove: disallow('external')
   }
 };
 
diff --git a/services/votes/votes.hooks.ts b/services/votes/votes.hooks.ts
index 56e9000..923e897 100644
--- a/services/votes/votes.hooks.ts
+++ b/services/votes/votes.hooks.ts
@@ -1,9 +1,13 @@
+import { disallow } from 'feathers-hooks-common';
 import requireAuth from '../../hooks/requireAuth';
 import signAuthority from '../../hooks/signAuthority';
 
 export default {
   before: {
-    create: [requireAuth, signAuthority]
+    create: [requireAuth, signAuthority],
+    remove: disallow('external'),
+    update: disallow('external'),
+    patch: disallow('external')
   }
 };