fix(security): require auth on clan creation, remove debug console.log
POST /herowars/clans was accessible without authentication. console.log(req.profile) in profiles controller leaked user data to logs.
This commit is contained in:
@@ -25,7 +25,6 @@ module.exports.deleteFollowUser = asyncHandler(async (req, res, next) => {
|
|||||||
|
|
||||||
module.exports.getProfile = asyncHandler(async (req, res, next) => {
|
module.exports.getProfile = asyncHandler(async (req, res, next) => {
|
||||||
try {
|
try {
|
||||||
console.log(req.profile)
|
|
||||||
/*const user = await UserService.getUserById(req.payload.id);
|
/*const user = await UserService.getUserById(req.payload.id);
|
||||||
if (!user) {
|
if (!user) {
|
||||||
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
|
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ const clanRouter = express.Router();
|
|||||||
|
|
||||||
//clanRouter.param('clanId', getClan);
|
//clanRouter.param('clanId', getClan);
|
||||||
clanRouter.get('/', auth.optional, getAllClans);
|
clanRouter.get('/', auth.optional, getAllClans);
|
||||||
clanRouter.post('/', auth.optional, createClan);
|
clanRouter.post('/', auth.required, createClan);
|
||||||
clanRouter.get('/:clanId', auth.required, getClan);
|
clanRouter.get('/:clanId', auth.required, getClan);
|
||||||
clanRouter.put('/:clanId', auth.required, updateClan);
|
clanRouter.put('/:clanId', auth.required, updateClan);
|
||||||
clanRouter.delete('/:clanId', auth.required, deleteClan);
|
clanRouter.delete('/:clanId', auth.required, deleteClan);
|
||||||
|
|||||||
Reference in New Issue
Block a user