I'm currently working on my first node.js/react project, and I wish to start actually using the project myself, but I am afraid there might be some critically vulnerability I am not aware of. I did obtain an SSL certificate, so I do not need to worry about that, I also force HTTPS (When I can), and use the helmet library.I have two main Authentication middlewares I created, one is for most of the routes, and the second is for the file download route. I needed separate middleware for these two types of routes because I wanted to use the built in file downloading that comes with web browsers (It basically clicks on an invisible link, to start the GET request of the file download.), and there is no good way to send an auth token with that request (without using cookies, which i would like to avoid). Because of this, as I state in the codes comments, I made it so the client needs to first obtain a temporary token, and send that since its safer (hopefully) to use in the URL, because I immediately revoke this token after the route is authenticated through the middleware.I posted the code on pastebin (with comments) if I could please get some insight that would be greatly appreciated: https://pastebin.com/P4ZDXZQWNote: While I do want to make this application public and open source on github eventually, I only want myself connecting to my home web server (I am hosting this server at my house, and do not use any type of cloud service, I wanted to store all the large file downloads locally.). Because of this inside of the env file I made an option to disable account creation, so after I created my account I activated this, the account creation is denied on server side too.Edit: I also posted this on stackoverflow, If you would rather use that link: https://stackoverflow.com/questions/60201930/is-this-authentication-middleware-and-route-implementation-safe-node-js-express
Submitted February 13, 2020 at 06:37AM by subnub99
No comments:
Post a Comment