From f38a1cf6a6809e85ac2ba47026c42b49bfee3673 Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Sun, 5 Jul 2020 12:23:11 +0300
Subject: feat: upgrade feedback hooks
---
services/feedback/feedback.hooks.ts | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
(limited to 'services')
diff --git a/services/feedback/feedback.hooks.ts b/services/feedback/feedback.hooks.ts
index 56e9000..7ae6c5d 100644
--- a/services/feedback/feedback.hooks.ts
+++ b/services/feedback/feedback.hooks.ts
@@ -1,9 +1,27 @@
+import { populate, discard } from 'feathers-hooks-common';
import requireAuth from '../../hooks/requireAuth';
import signAuthority from '../../hooks/signAuthority';
+import sortByDate from '../../hooks/sortByDate';
+
+
+const populateAuthor = populate({
+ schema: {
+ include: {
+ service: 'users',
+ nameAs: 'author',
+ parentField: 'authorId',
+ childField: '_id'
+ }
+ }
+});
export default {
before: {
- create: [requireAuth, signAuthority]
+ create: [requireAuth, signAuthority],
+ find: sortByDate
+ },
+ after: {
+ all: [populateAuthor, discard('authorId')]
}
};
--
cgit v1.2.3
From 8f48be5b879b1ae92937dfa1d1f37f08fb167dfa Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Sun, 5 Jul 2020 13:27:49 +0300
Subject: feat: ensure users security
---
services/users/users.hooks.ts | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
(limited to 'services')
diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts
index 48843be..1b4be2b 100644
--- a/services/users/users.hooks.ts
+++ b/services/users/users.hooks.ts
@@ -1,7 +1,9 @@
import _ from 'lodash';
import { hooks } from '@feathersjs/authentication-local';
-import { discard } from 'feathers-hooks-common';
+import { discard, disallow } from 'feathers-hooks-common';
import { HookContext } from '@feathersjs/feathers';
+import { NotAuthenticated } from '@feathersjs/errors';
+import requireAuth from '../../hooks/requireAuth';
const hashPassword = hooks.hashPassword('password');
@@ -12,6 +14,13 @@ const ignoreCaseRegex = async (context: HookContext): Promise<HookContext> => {
return context;
};
+const compareUser = async (context: HookContext): Promise<HookContext> => {
+ if(context.arguments[0] != context.params.user._id) {
+ throw new NotAuthenticated('You can only PATCH/UPDATE your own user!');
+ }
+ return context;
+}
+
export default {
after: {
all: hooks.protect('password'),
@@ -20,8 +29,9 @@ export default {
before: {
find: ignoreCaseRegex,
create: hashPassword,
- patch: hashPassword,
- update: hashPassword
+ patch: [hashPassword, requireAuth, compareUser],
+ update: [hashPassword, requireAuth, compareUser],
+ remove: disallow('external')
}
};
--
cgit v1.2.3
From 85b3cc20e8f453868d06d55a688ee8dfe90b80d4 Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Sun, 5 Jul 2020 13:33:00 +0300
Subject: feat: protect all services
---
services/feedback/feedback.hooks.ts | 7 +++++--
services/polls/polls.hooks.ts | 6 +++++-
services/votes/votes.hooks.ts | 6 +++++-
3 files changed, 15 insertions(+), 4 deletions(-)
(limited to 'services')
diff --git a/services/feedback/feedback.hooks.ts b/services/feedback/feedback.hooks.ts
index 7ae6c5d..5bc2552 100644
--- a/services/feedback/feedback.hooks.ts
+++ b/services/feedback/feedback.hooks.ts
@@ -1,4 +1,4 @@
-import { populate, discard } from 'feathers-hooks-common';
+import { populate, discard, disallow } from 'feathers-hooks-common';
import requireAuth from '../../hooks/requireAuth';
import signAuthority from '../../hooks/signAuthority';
import sortByDate from '../../hooks/sortByDate';
@@ -18,7 +18,10 @@ const populateAuthor = populate({
export default {
before: {
create: [requireAuth, signAuthority],
- find: sortByDate
+ find: sortByDate,
+ remove: disallow('external'),
+ patch: disallow('external'),
+ update: disallow('external')
},
after: {
all: [populateAuthor, discard('authorId')]
diff --git a/services/polls/polls.hooks.ts b/services/polls/polls.hooks.ts
index e3d04e7..35eae29 100644
--- a/services/polls/polls.hooks.ts
+++ b/services/polls/polls.hooks.ts
@@ -1,4 +1,5 @@
import { HookContext } from '@feathersjs/feathers';
+import { disallow } from 'feathers-hooks-common';
import { Types } from 'mongoose';
import bluebird from 'bluebird'; import _ from 'lodash';
import { Poll } from 'which-types';
@@ -46,7 +47,10 @@ const convertPoll = async (context: HookContext): Promise<HookContext> => {
export default {
before: {
find: sortByDate,
- create: signAuthority
+ create: signAuthority,
+ remove: disallow('external'),
+ update: disallow('external'),
+ patch: disallow('external')
},
after: {
all: convertPoll
diff --git a/services/votes/votes.hooks.ts b/services/votes/votes.hooks.ts
index 56e9000..923e897 100644
--- a/services/votes/votes.hooks.ts
+++ b/services/votes/votes.hooks.ts
@@ -1,9 +1,13 @@
+import { disallow } from 'feathers-hooks-common';
import requireAuth from '../../hooks/requireAuth';
import signAuthority from '../../hooks/signAuthority';
export default {
before: {
- create: [requireAuth, signAuthority]
+ create: [requireAuth, signAuthority],
+ remove: disallow('external'),
+ update: disallow('external'),
+ patch: disallow('external')
}
};
--
cgit v1.2.3
From 1c2f3c9e5b39826266d64f4227e53fff139ea948 Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Sun, 5 Jul 2020 13:35:54 +0300
Subject: style: fix eslint errors
---
services/users/users.hooks.ts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
(limited to 'services')
diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts
index 1b4be2b..125f418 100644
--- a/services/users/users.hooks.ts
+++ b/services/users/users.hooks.ts
@@ -15,11 +15,11 @@ const ignoreCaseRegex = async (context: HookContext): Promise<HookContext> => {
};
const compareUser = async (context: HookContext): Promise<HookContext> => {
- if(context.arguments[0] != context.params.user._id) {
+ if (context.arguments[0] !== context.params.user._id) {
throw new NotAuthenticated('You can only PATCH/UPDATE your own user!');
}
return context;
-}
+};
export default {
after: {
--
cgit v1.2.3