Skip to content

Instantly share code, notes, and snippets.

@danceoval
Last active March 31, 2021 14:49
Show Gist options
  • Save danceoval/422349cf92cdfa43a5238f7d261e92c5 to your computer and use it in GitHub Desktop.
Save danceoval/422349cf92cdfa43a5238f7d261e92c5 to your computer and use it in GitHub Desktop.
Sr Phase Security Principles

Security

Preventing Injection Attacks

// don't do this
app.post('/users', async (req, res, next) => {
	// via postman req.body = {name : 'Jess B', isAdmin : true}
	let newUser = await User.create(req.body)

	res.json(newUser);
})


// do this
app.post('/users', async (req, res, next) => {
	let {name, password, address} = req.body
	let newUser = await User.create({name, password, address})

	res.json(newUser);
})

Authorization via Express Gates

Authentication == "who am i?"

Authorization = "am I allowed to be here?"

//n-ary, can take 1 or many callbacks

//write once
const isAdmin = (req, res, next) => req.user.isAdmin ? next() : res.send("None shall pass!")

// dependency injection! Write once, inject anywhere!
app.get('/secrets', isAdmin, async(req, res, next) => {
	let creditcards = await Secrets.findAll()

	res.send(creditcards)
})

app.get('/corporate-data', isAdmin, async(req, res, next) => {
	let creditcards = await MarketingData.findAll()

	res.send(MarketingData)
})

// How can we extend this pattern, to make sure Dan doesn't have access to Jess' cart?

Hiding Secrets

	
app.get('/user/:id', await (req, res, next) => {

	// Don't do this!
	let user = await Users.findByPk(req.params.id) // returns all the user info

	// More like this...
	let user = await Users.findByPk(req.params.id, {
		include : { attributes : ['name', 'address', 'favoriteIceCream'] }
	}) // returns only the info we are ok sharing

	res.json({user})
})

XSS (we don't have to worry about this)

//User enters <script>alert('hahahah')</script>

// React ensures this won't happen :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment