Tetardtek/ClickerZ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): IDOR verifyToken+verifySelf, resetTokenSecret, firstname/lastname add, JWT expiresIn 7d

Browse Source
This commit is contained in:
Tetardtek
2026-03-15 17:25:31 +01:00
parent 4e93753250
commit be9c28b59d
2 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Backend/src/router.js
View File

@@ -11,13 +11,21 @@ const userControllers = require("./controllers/userControllers");
const verifyToken = require("./middlewares/verifyToken");
// Vérifie que le token appartient au même utilisateur que :id
const verifySelf = (req, res, next) => {
if (String(req.user) !== String(req.params.id)) {
return res.status(403).json({ message: "Forbidden." });
}
return next();
};
// User management
router.get("/users", verifyToken, userControllers.browse);
router.get("/users/:id", userControllers.read);
router.get("/users/:id/field", userControllers.read);
router.put("/users/:id", userControllers.edit);
router.get("/users/:id", verifyToken, verifySelf, userControllers.read);
router.get("/users/:id/field", verifyToken, verifySelf, userControllers.read);
router.put("/users/:id", verifyToken, verifySelf, userControllers.edit);
router.post("/users", userControllers.add);
router.delete("/users/:id", userControllers.destroy);
router.delete("/users/:id", verifyToken, verifySelf, userControllers.destroy);
router.post("/login", userControllers.login);