Skip to content

Instantly share code, notes, and snippets.

@sarahzhao25
Forked from danceoval/Shopper-Security.md
Last active March 31, 2021 14:50
Show Gist options
  • Save sarahzhao25/353b6184f1be6c79f27b25e347547c27 to your computer and use it in GitHub Desktop.
Save sarahzhao25/353b6184f1be6c79f27b25e347547c27 to your computer and use it in GitHub Desktop.
Sr Phase Security Principles

Security

Express Auth Gates Hiding secrets in Sequelize queries Protecting against Injection Hiding App Secrets

Authorization via Express Gates

Authentication == "who am i?"

Authorization = "am I allowed to be here?"

//n-ary, can take 1 or many callbacks

//write once
const isAdmin = (req, res, next) => req.user.isAdmin ? next() : res.send("None shall pass!")

// dependency injection! Write once, inject anywhere!
app.get('/secrets', isAdmin, async(req, res, next) => {
	let creditcards = await Secrets.findAll()

	res.send(creditcards)
})

app.get('/corporate-data', isAdmin, async(req, res, next) => {
	let creditcards = await MarketingData.findAll()

	res.send(MarketingData)
})

// How can we extend this pattern, to make sure Dan doesn't have access to Jess' cart?

Hiding Secrets

	
app.get('/user/:id', await (req, res, next) => {

	// Don't do this!
	let user = await Users.findByPk(req.params.id) // returns all the user info

	// More like this...
	let user = await Users.findByPk(req.params.id, {
		include : { attributes : ['name', 'address', 'favoriteIceCream'] }
	}) // returns only the info we are ok sharing

	res.json({user})
})

Preventing Injection Attacks

// don't do this
app.post('/users', async (req, res, next) => {
	// via postman req.body = {name : 'Jess B', isAdmin : true}
	let newUser = await User.create(req.body)

	res.json(newUser);
})


// do this
app.post('/users', async (req, res, next) => {
	let {name, password, address} = req.body
	let newUser = await User.create({name, password, address})

	res.json(newUser);
})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment