Reputation: 973
Why can anyone PUT/POST/GET to any user without authentication in sails.js blueprint rest api?
I have been working with sails.js for a couple days now, and I started out creating my user model and REST API. I also implemented Passport into the app for authentication for users. I was messing around with my requests and noticed that I could do anything I wanted with other users data, even if I was logged on as a different user, without providing a password (just id). It seems like anyone would just be able to hack in and delete all the users data without permission. Was this purposely left out of the blueprint API, and am I missing some big topic that just flew over my head? Do I need to add some other feature that changes permissions? Comment if I need to post any code to help.
Upvotes: 1
Views: 113
Answers (1)
Reputation: 70416
Blueprints and routes are not secured by default, why should they? You can secure them using Policies http://sailsjs.org/documentation/concepts/policies e.g.
{
ProfileController: {
// Apply 'isLoggedIn' by default to all actions that are NOT specified below
'*': 'isLoggedIn',
// If an action is explicitly listed, its policy list will override the default list.
// So, we have to list 'isLoggedIn' again for the 'edit' action if we want it to be applied.
edit: ['isAdmin', 'isLoggedIn']
}
}
Upvotes: 1
Related Questions
- Sails JS forbidden POST request
- Sailsjs login API
- How to prohibit access to the API for non authorized users?
- Sails.js - use login instead of id for REST api
- Protect API routes in Sails.js with token-based authentication?
- How to secure blueprint access in Sails.js
- Sails REST API with simple AUTH
- Check if Sailjs backend is getting a legit req from the frontend without any authentication system
- How to secure my REST-API?
- Sails: How to only authorize creation of a blueprint model