dvws-node icon indicating copy to clipboard operation
dvws-node copied to clipboard
verified publisher icon snoopysecurity

User authentication does not work

Open droynvoss opened this issue 1 year ago • 2 comments

Expected Behavior

All routes are user authenticated.

Current Behavior

If the path of internal routes is known they are just accessible without verifying whether the user exists or not, in the MongoDB database.

image

How to ensure the routes are only available via registered users?

droynvoss avatar Jul 22 '24 12:07 droynvoss

Possible Solution

As suggested by @saipreetham123, within app.js move the line:

app.use(express.static('public'));

below the other use statements. And add a conditional middleware:


const excludedRoutes = ['/', '/register', '', '/login'];

app.use((req, res, next) => { 
  console.log(req.path);
  if (excludedRoutes.includes(req.path)) {
    next();
  } else {
    validateToken(req, res, next);
  }
});

image

droynvoss avatar Jul 22 '24 12:07 droynvoss

Hi, are these just the client side pages such as http://dvws.local/upload.html, http://dvws.local/notes.html etc? these pages can be viewed unauthenticated but the data for this pages are coming from /api, and that will require an API token

snoopysecurity avatar Sep 01 '24 23:09 snoopysecurity