Tetardtek/ClickerZ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): IDOR verifyToken+verifySelf, resetTokenSecret, firstname/lastname add, JWT expiresIn 7d

Browse Source
This commit is contained in:
Tetardtek
2026-03-15 17:25:31 +01:00
parent 4e93753250
commit be9c28b59d
2 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Backend/src/controllers/userControllers.js
View File

@@ -7,6 +7,7 @@ const nodemailer = require("nodemailer");
const tables = require("../tables"); const tables = require("../tables");
const secretKey = process.env.APP_SECRET; const secretKey = process.env.APP_SECRET;
const resetTokenSecret = process.env.RESET_TOKEN_SECRET;
const saltRounds = 10; const saltRounds = 10;
const passwordSchema = Joi.string() const passwordSchema = Joi.string()
@@ -171,7 +172,7 @@ const login = async (req, res) => {
return res.status(401).json({ message: "Mot de passe incorrect" }); return res.status(401).json({ message: "Mot de passe incorrect" });
} }
const token = jwt.sign({ user: user.id }, secretKey); const token = jwt.sign({ user: user.id }, secretKey, { expiresIn: "7d" });
return res.status(200).json({ return res.status(200).json({
message: "Connexion réussie", message: "Connexion réussie",
@@ -309,7 +310,7 @@ const edit = async (req, res) => {
const add = async (req, res, next) => { const add = async (req, res, next) => {
try { try {
const { nickname, mail, password, confirmPassword } = const { firstname, lastname, nickname, mail, password, confirmPassword } =
req.body; req.body;
const existingUserByMail = await tables.users.getByMail(mail); const existingUserByMail = await tables.users.getByMail(mail);
@@ -353,7 +354,7 @@ const add = async (req, res, next) => {
const insertId = await tables.users.create(user); const insertId = await tables.users.create(user);
const token = jwt.sign({ user: user.id }, secretKey); const token = jwt.sign({ user: user.id }, secretKey, { expiresIn: "7d" });
res.status(201).json({ insertId, token }); res.status(201).json({ insertId, token });
return insertId; return insertId;

16
Backend/src/router.js
View File

@@ -11,13 +11,21 @@ const userControllers = require("./controllers/userControllers");
const verifyToken = require("./middlewares/verifyToken"); const verifyToken = require("./middlewares/verifyToken");
// Vérifie que le token appartient au même utilisateur que :id
const verifySelf = (req, res, next) => {
if (String(req.user) !== String(req.params.id)) {
return res.status(403).json({ message: "Forbidden." });
}
return next();
};
// User management // User management
router.get("/users", verifyToken, userControllers.browse); router.get("/users", verifyToken, userControllers.browse);
router.get("/users/:id", userControllers.read); router.get("/users/:id", verifyToken, verifySelf, userControllers.read);
router.get("/users/:id/field", userControllers.read); router.get("/users/:id/field", verifyToken, verifySelf, userControllers.read);
router.put("/users/:id", userControllers.edit); router.put("/users/:id", verifyToken, verifySelf, userControllers.edit);
router.post("/users", userControllers.add); router.post("/users", userControllers.add);
router.delete("/users/:id", userControllers.destroy); router.delete("/users/:id", verifyToken, verifySelf, userControllers.destroy);
router.post("/login", userControllers.login); router.post("/login", userControllers.login);