Security issues of tutorial

[yuta0801]

The tutorial seems to have security issues that anyone can

• create and update any choices through createQuestion
• update choices with any data through updateChoice

I think it should be added a security note or a new section about how to fix the issues.

Demo in browser console:

[flybayer]

Good catch! For the first issue, the solution is to add ctx.session!.authorize() at the top of every query and mutation. This is added by default in generated code, but I think there's a few places in the tutorial that needs this.

[liamjosephsilk]

Can I take this one?

[flybayer]

@liamjosephsilk yes!

[yuta0801]

For the first issue, the solution is to add "ctx.session!.authorize()" at the top of every query and mutation.

Yes, it's also an issue that anyone can post. however the tutorial didn't cover authentication, I think it doesn't matter. (of course, it would be very nice if it will be) I just wanted to mention that everyone can insert 5+ choices (we probably want to limit it to 4 or lower) and can update choices related to other questions (this is undesirable behavior)

[liamjosephsilk]

Could we make use of authentication in the tutorial? Seen as it comes built in? Align it better with the current onboarding of setting up a project?

[flybayer]

Yeah would be good to add auth to this!

[goleary]

I'm a little confused following the tutorial because auth seems to have been included in the app/generated code but there is no mention of it in the tutorial and there are inconsistencies because of it.

Perhaps there should be a way to start a project with no auth so that following the tutorial makes more sense.

[flybayer]

@goleary yeah sorry about that, we need to update the tutorial.