Allow createUser to be authenticated/restricted only to the current user #89

morgothulhu · 2017-02-05T01:04:40Z

Scenario is self-served portal.

Any user can sign-in using Auth0, thus get their id_token.
Using https://jwt.io/, the encoded id_token can be modified, to alter the sub field
Then the createUser(authProvider: {auth0: {idToken: $idToken}} ... mutation can be invoked with the forged id_token.

Two possible solutions I see:

allow 'authenticated' condition to allow matching user (as long as the proper Authentication Bearer idToken) is passed even if the row is not yet created in User
replace auth0: {idToken} to use JWT (as mentioned here) to validate on graph.cool proper signature

The text was updated successfully, but these errors were encountered:

sorenbs · 2017-02-06T08:51:29Z

Thanks for reporting this @morgothulhu

I will look into this today and get back to you.

sorenbs · 2017-03-03T14:42:29Z

This is resolved by validating the jwt. Thanks again @morgothulhu

sorenbs closed this as completed Mar 3, 2017

marktani added the stage/completed label May 4, 2017

This was referenced Sep 16, 2021

[Snyk] Fix for 1 vulnerabilities Skitionek/prisma#24

Merged

[Snyk] Fix for 1 vulnerabilities ajesse11x/prisma#60

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow createUser to be authenticated/restricted only to the current user #89

Allow createUser to be authenticated/restricted only to the current user #89

morgothulhu commented Feb 5, 2017

sorenbs commented Feb 6, 2017

sorenbs commented Mar 3, 2017

Allow createUser to be authenticated/restricted only to the current user #89

Allow createUser to be authenticated/restricted only to the current user #89

Comments

morgothulhu commented Feb 5, 2017

sorenbs commented Feb 6, 2017

sorenbs commented Mar 3, 2017