Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
XXXOrRestrict undermines provider (security) logic #395
Steps to reproduce
Myservice should be called only once with the provider="rest"
Call will be made, but myhook will be called twice. First with
The final output is the one from the second call.
Logs will show:
NodeJS version: 7.4.0
Operating System: win10
Browser Version: ALL
I know that with the new authentication and permission plugins this issue might be gone, however currently this was a big issue for me. Especially as i first thought that browser calls and internal calls are the same as both was showing up with provider=undefined. just after some debugging i learned that i can safely assume if provider=undefined, that this must be an internal call and thus i do not restrict anything. However this is not true if one is using one of the xxxOrRestrict hooks.
Also the behaviour is kind of intended as the code states https://github.com/feathersjs/feathers-authentication/blob/875bbe436c939bb5355e2bf7c83e779a31b96e27/src/hooks/verify-or-restrict.js#L32, this is done to prevent some infinite loops when calling the service again on itself (what the hook is actually doing). nevertheless, still scary if someone is relying on the provider param to restrict services
for everyone that has the same use case as me:
I copied the code from verify and populate hooks and just customized my hook(removed feathers verify and populate hooks):
I just converted everything to AUK Release with latest authentication version. Unfortunately the approach from above does not work anymore (there is no