From be9c28b59d48bd9b5f6f8e332afe04af4f819978 Mon Sep 17 00:00:00 2001 From: Tetardtek Date: Sun, 15 Mar 2026 17:25:31 +0100 Subject: [PATCH] fix(security): IDOR verifyToken+verifySelf, resetTokenSecret, firstname/lastname add, JWT expiresIn 7d --- Backend/src/controllers/userControllers.js | 7 ++++--- Backend/src/router.js | 16 ++++++++++++---- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/Backend/src/controllers/userControllers.js b/Backend/src/controllers/userControllers.js index 6130999..cecd9e8 100755 --- a/Backend/src/controllers/userControllers.js +++ b/Backend/src/controllers/userControllers.js @@ -7,6 +7,7 @@ const nodemailer = require("nodemailer"); const tables = require("../tables"); const secretKey = process.env.APP_SECRET; +const resetTokenSecret = process.env.RESET_TOKEN_SECRET; const saltRounds = 10; const passwordSchema = Joi.string() @@ -171,7 +172,7 @@ const login = async (req, res) => { return res.status(401).json({ message: "Mot de passe incorrect" }); } - const token = jwt.sign({ user: user.id }, secretKey); + const token = jwt.sign({ user: user.id }, secretKey, { expiresIn: "7d" }); return res.status(200).json({ message: "Connexion réussie", @@ -309,7 +310,7 @@ const edit = async (req, res) => { const add = async (req, res, next) => { try { - const { nickname, mail, password, confirmPassword } = + const { firstname, lastname, nickname, mail, password, confirmPassword } = req.body; const existingUserByMail = await tables.users.getByMail(mail); @@ -353,7 +354,7 @@ const add = async (req, res, next) => { const insertId = await tables.users.create(user); - const token = jwt.sign({ user: user.id }, secretKey); + const token = jwt.sign({ user: user.id }, secretKey, { expiresIn: "7d" }); res.status(201).json({ insertId, token }); return insertId; diff --git a/Backend/src/router.js b/Backend/src/router.js index 12e886d..6ed2040 100755 --- a/Backend/src/router.js +++ b/Backend/src/router.js @@ -11,13 +11,21 @@ const userControllers = require("./controllers/userControllers"); const verifyToken = require("./middlewares/verifyToken"); +// Vérifie que le token appartient au même utilisateur que :id +const verifySelf = (req, res, next) => { + if (String(req.user) !== String(req.params.id)) { + return res.status(403).json({ message: "Forbidden." }); + } + return next(); +}; + // User management router.get("/users", verifyToken, userControllers.browse); -router.get("/users/:id", userControllers.read); -router.get("/users/:id/field", userControllers.read); -router.put("/users/:id", userControllers.edit); +router.get("/users/:id", verifyToken, verifySelf, userControllers.read); +router.get("/users/:id/field", verifyToken, verifySelf, userControllers.read); +router.put("/users/:id", verifyToken, verifySelf, userControllers.edit); router.post("/users", userControllers.add); -router.delete("/users/:id", userControllers.destroy); +router.delete("/users/:id", verifyToken, verifySelf, userControllers.destroy); router.post("/login", userControllers.login);