So for a personal app I'm writing I'm using express with auth0 for authentication (why reinvent the wheel?) and passport for authorization.There is a part of my app where I'd like the user to be able to POST via AJAX. I'm using fetch to send the POST request to the appropriate route and it works fine and dandy.My issue is that anyone can access this route. I've set up some really basic but easily broken protection inside the route, but I don't think that is good enough. Essentially, I'm just checking that the request is referred from within the app.However, this doesn't check that the user is logged in, and it uses the current user id being passed down from the server to assign the content created by the POST request as the owner of the content. So anyone with a working knowledge of the system could theoretically assign new content to anyone's account so long as they know the user's id.I tried setting up ensureLoggedIn as middleware on my router for the associated AJAX route. But since the client is passing the request via AJAX it doesn't have the token passed along with it...resulting in the AJAX request being redirected to the login page.I've been googling for days and haven't figured this out. Anyone here who can help?
Submitted July 17, 2017 at 02:19AM by burnaftertweeting
No comments:
Post a Comment