Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒 🔈 Plug a security vulnerability and alert users to deprecated endpoint #618

Merged
merged 4 commits into from Feb 13, 2020
Merged

🔒 🔈 Plug a security vulnerability and alert users to deprecated endpoint #618

merged 4 commits into from Feb 13, 2020

Conversation

shnizzedy
Copy link
Member

I would just remove the endpoint, but the mobile app is still using it.

Resolves #617
Ref #616 (comment)

WorldImpex
WorldImpex previously approved these changes Jan 17, 2020
View reviewed changes
@WorldImpex
Copy link

@devbtech Could you test this one?

devbtech
devbtech approved these changes Feb 3, 2020
View reviewed changes
Copy link
Contributor

@devbtech devbtech left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shnizzedy There is message, that 'PUT /user/{:id}' is deprecated. But I don't see any implemented methods for changing user information instead of the deprecated method. Is this planned in the future?

devbtech
devbtech previously approved these changes Feb 3, 2020
View reviewed changes
@shnizzedy
Copy link
Member Author

@shnizzedy There is message, that 'PUT /user/{:id}' is deprecated. But I don't see any implemented methods for changing user information instead of the deprecated method. Is this planned in the future?

@devbtech the idea is that only a user themself could update his/her user info, which would be minimal with most of that information having moved to Profiles.

I believe the username and password are the only data that remain in the User object that should be updateable.

model diagram

We already have PUT /user/password, an open issue with several proposed solutions to add a route to update the username, and PUT /user/profile to update everything else.

That last call (PUT /user/profile) is currently extremely minimal: the call takes a profile ID OR (an applet ID and an ID code) and a JSON Object of all the data to update. There should probably eventually be some validation of some standard profile fields.

All that is to say, the idea is that the User class be used for authentication but otherwise should not be visible or accessible.

This was referenced Feb 6, 2020
Closed
Closed
devbtech
devbtech previously approved these changes Feb 13, 2020
View reviewed changes
@devbtech devbtech merged commit 311b45c into master Feb 13, 2020
@devbtech devbtech deleted the security-patch branch February 13, 2020 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devbtech devbtech devbtech approved these changes

@WorldImpex WorldImpex WorldImpex left review comments

Assignees

@devbtech devbtech

Labels
backend security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

🔐 Deprecated route exposes sensitive data.
3 participants
@shnizzedy @WorldImpex @devbtech