From 36acc484bd80648c22ba5632b64fad623b0a1eae Mon Sep 17 00:00:00 2001 From: Amos Haviv Date: Sat, 26 Apr 2014 15:17:31 +0300 Subject: [PATCH] Fixing roles security issues --- app/controllers/users.server.controller.js | 7 +++ config/strategies/google.js | 66 +++++++++++----------- 2 files changed, 40 insertions(+), 33 deletions(-) diff --git a/app/controllers/users.server.controller.js b/app/controllers/users.server.controller.js index fb4f6cc8b0..b8b4c76f6f 100755 --- a/app/controllers/users.server.controller.js +++ b/app/controllers/users.server.controller.js @@ -36,6 +36,9 @@ var getErrorMessage = function(err) { * Signup */ exports.signup = function(req, res) { + // For security measurement we remove the roles from the req.body object + delete req.body.roles; + // Init Variables var user = new User(req.body); var message = null; @@ -44,6 +47,7 @@ exports.signup = function(req, res) { user.provider = 'local'; user.displayName = user.firstName + ' ' + user.lastName; + // Then save the user user.save(function(err) { if (err) { return res.send(400, { @@ -96,6 +100,9 @@ exports.update = function(req, res) { var user = req.user; var message = null; + // For security measurement we remove the roles from the req.body object + delete req.body.roles; + if (user) { // Merge existing user user = _.extend(user, req.body); diff --git a/config/strategies/google.js b/config/strategies/google.js index a27cc51e47..af4aacedef 100644 --- a/config/strategies/google.js +++ b/config/strategies/google.js @@ -1,39 +1,39 @@ 'use strict'; var passport = require('passport'), - url = require('url'), - GoogleStrategy = require('passport-google-oauth').OAuth2Strategy, - config = require('../config'), - users = require('../../app/controllers/users.server.controller'); + url = require('url'), + GoogleStrategy = require('passport-google-oauth').OAuth2Strategy, + config = require('../config'), + users = require('../../app/controllers/users.server.controller'); module.exports = function() { - // Use google strategy - passport.use(new GoogleStrategy({ - clientID: config.google.clientID, - clientSecret: config.google.clientSecret, - callbackURL: config.google.callbackPath, - passReqToCallback: true - }, - function(req, accessToken, refreshToken, profile, done) { - // Set the provider data and include tokens - var providerData = profile._json; - providerData.accessToken = accessToken; - providerData.refreshToken = refreshToken; - - // Create the user OAuth profile - var providerUserProfile = { - firstName: profile.name.givenName, - lastName: profile.name.familyName, - displayName: profile.displayName, - email: profile.emails[0].value, - username: profile.username, - provider: 'google', - providerIdentifierField: 'id', - providerData: providerData - }; + // Use google strategy + passport.use(new GoogleStrategy({ + clientID: config.google.clientID, + clientSecret: config.google.clientSecret, + callbackURL: config.google.callbackPath, + passReqToCallback: true + }, + function(req, accessToken, refreshToken, profile, done) { + // Set the provider data and include tokens + var providerData = profile._json; + providerData.accessToken = accessToken; + providerData.refreshToken = refreshToken; - // Save the user OAuth profile - users.saveOAuthUserProfile(req, providerUserProfile, done); - } - )); -}; + // Create the user OAuth profile + var providerUserProfile = { + firstName: profile.name.givenName, + lastName: profile.name.familyName, + displayName: profile.displayName, + email: profile.emails[0].value, + username: profile.username, + provider: 'google', + providerIdentifierField: 'id', + providerData: providerData + }; + + // Save the user OAuth profile + users.saveOAuthUserProfile(req, providerUserProfile, done); + } + )); +}; \ No newline at end of file