From 8f48be5b879b1ae92937dfa1d1f37f08fb167dfa Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Sun, 5 Jul 2020 13:27:49 +0300
Subject: feat: ensure users security

---
 services/users/users.hooks.ts | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts
index 48843be..1b4be2b 100644
--- a/services/users/users.hooks.ts
+++ b/services/users/users.hooks.ts
@@ -1,7 +1,9 @@
 import _ from 'lodash';
 import { hooks } from '@feathersjs/authentication-local';
-import { discard } from 'feathers-hooks-common';
+import { discard, disallow } from 'feathers-hooks-common';
 import { HookContext } from '@feathersjs/feathers';
+import { NotAuthenticated } from '@feathersjs/errors';
+import requireAuth from '../../hooks/requireAuth';
 
 const hashPassword = hooks.hashPassword('password');
 
@@ -12,6 +14,13 @@ const ignoreCaseRegex = async (context: HookContext): Promise<HookContext> => {
   return context;
 };
 
+const compareUser = async (context: HookContext): Promise<HookContext> => {
+  if(context.arguments[0] != context.params.user._id) {
+    throw new NotAuthenticated('You can only PATCH/UPDATE your own user!');
+  }
+  return context;
+}
+
 export default {
   after: {
     all: hooks.protect('password'),
@@ -20,8 +29,9 @@ export default {
   before: {
     find: ignoreCaseRegex,
     create: hashPassword,
-    patch: hashPassword,
-    update: hashPassword
+    patch: [hashPassword, requireAuth, compareUser],
+    update: [hashPassword, requireAuth, compareUser],
+    remove: disallow('external')
   }
 };
 
-- 
cgit v1.2.3