fix security author authenticity

[fabiooshiro]

Description of what you did:

My PR is a:

• 💥 Breaking change
• 🐛 Bug fix
• 💅 Enhancement
• 🚀 New feature

Main update on the:

• api
• frontend
• lib

[DimiMikadze]

Hi @fabiooshiro, thanks for the PR, but I don't understand how these changes will prevent a hacker from posting a comment with the different user names?

To prevent it, I think will need to check if author and authUser.id are the same, and create a comment only if they are.

[fabiooshiro]

Just getting the id from the JWT is enough... Em sáb, 5 de set de 2020 05:56, Dimi Mikadze <notifications@github.com> escreveu:

…

Hi @fabiooshiro <https://github.com/fabiooshiro>, thanks for the PR, but I don't understand how these changes will prevent a hacker from posting a comment with the different user names? To prevent it, I think will need to check if author and authUser.id are the same, and create a comment only if they are. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#66 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABVNEAKP4RZWZNOXLPQ2JDSEH4KBANCNFSM4QIGJAQA> .

[DimiMikadze]

Hi @fabiooshiro, in the issue you have explained that post creation contains a bug, but this PR contains the changes for comments.

As explained in CONTRIBUTING.md let's first discover what's causing the issue, and describe it by respecting the issue template.

Then agree on how we are going to approach it, and finally create a PR.

[fabiooshiro]

All the system has the same problem...