admin can be added by anyone #12
Comments
|
Hi, @BorysTyminski can you do a PR fixing the issue :) |
|
How we want to solve this? I think admin should be only created by another admin. However at the start we don't have any admins. Maybe we should have two other collections for user and admin? I also for sure would like to add email confirmation after registration and maybe IP saving on login and registration as it's very common. I think this is pretty serious vulnerability. If some developer will use this boilerplate and didn't realize admin can be added by adding role to JSON which goes to API then potential cracker can access any admin endpoint. |
|
I think we need to support a default admin. Then he can only add other admins This is pretty common in most products |
|
You still want to have admins and users in one collection? I think we should split them to two different mongo collection and then rename auth.controller.js to user.controller.js and also create user.route.js and refactor auth.route.js to contain only this demonstration "/secret" routes. |
|
I'm about to create new PR with fix but it will contain lots of changes and I actually splited users and admin to two collections. |
|
You are good to go |
Currently new admin can be added by anyone.
The text was updated successfully, but these errors were encountered: