adamSiwiec adamSiwiec - 1 year ago 66
reST (reStructuredText) Question

Why can anyone PUT/POST/GET to any user without authentication in sails.js blueprint rest api?

I have been working with sails.js for a couple days now, and I started out creating my user model and REST API. I also implemented Passport into the app for authentication for users. I was messing around with my requests and noticed that I could do anything I wanted with other users data, even if I was logged on as a different user, without providing a password (just id). It seems like anyone would just be able to hack in and delete all the users data without permission. Was this purposely left out of the blueprint API, and am I missing some big topic that just flew over my head? Do I need to add some other feature that changes permissions? Comment if I need to post any code to help.

Answer Source

Blueprints and routes are not secured by default, why should they? You can secure them using Policies e.g.

  ProfileController: {
    // Apply 'isLoggedIn' by default to all actions that are NOT specified below
    '*': 'isLoggedIn',
    // If an action is explicitly listed, its policy list will override the default list.
    // So, we have to list 'isLoggedIn' again for the 'edit' action if we want it to be applied.
    edit: ['isAdmin', 'isLoggedIn']