1

How can I secure my express "GET" route in my App so emails and user data can't be exposed to an unauthorized client. I was wondering, should I hash all the fields as I did with password?

My GET "/users" route sends JSON like this..

 {
 "name": "keven",
 "email": "[email protected]",
 "user": "keven",
 "password": "EEOnGFritH1631671dc8da7431399f824b3925a49e",
 "country": "America",
 "date": "April 20th 2013, 10:34:22 pm",
 "_id": "5173502e5g52676c1b000001"
  }

In my backbone and node/express app I have a url in my backbone collection, like this..

Users = Backbone.Collection.extend({
model: User,
url: '/users',
});

And the express route is like this:

app.get('/users', function(req, res){
User.find({}, function (err, accounts) {
res.send(accounts);
});
});

Thanks.

Improve this question
2
  • define unauthorized client, not logged in? wrong user? wrong group? Commented Apr 23, 2013 at 0:48
  • For example. If a visitor goes to the site, views the source code and the backbone.js files (whether logged in or not). They will be able to get which json route was used for the collection. The user can (as in the example above) go to site.com/users and get the full list of users or etc in JSON. I suppose hashing/salting the data may delay hacks, but I wasn't sure if its a good/safe practice to rely on that alone. Commented Apr 27, 2013 at 18:20

1 Answer 1

Reset to default
5

While this is not ideal, if the user and password are being sent with each request, you simply need some middleware to perform authentication & authorization in your node.js application.

An authentication function:

function authenticate(user, password, fn) {
  // Trivial, but not recommended
  User.findOne({user: user, password: password}, function (err, user) {
    if (err) {
      return fn(err);
    }
    if (!user) {
      return fn(new Error('no such user'));
    }

    return fn(null, user);
  });
}

An authorization middleware function, which relies on authentication:

function authorize(req, res, next) {
  authenticate(req.params.user, req.params.password, function(err, user) {
    if (err) {
      res.redirect('/login');
    }

    // Probably other logic her to determine now *what* they can do

    return next(null, user);
  });
}

Now, since you're using Express, you can make use of the authorization middleware in your route to restrict access:

app.get('/users', authorize, function(req, res){
  // Can only get here if allowed
  User.find({}, function (err, accounts) {
    res.send(accounts);
  });
});

But notice this will be performing a search for the user with each request - one of the reasons I said its not ideal. For proper system security design, you should be looking at using http basic authentication, and session-based cookies or oauth.

Here are some links for you to check out:

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the great links and helping me understand. I ended up using Passportjs (passportjs.org) for authentication, and will add this to keep routes accessible by the site's admin.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.