Why others can delete sessions ?!
iraniamir opened this issue · comments
Hi
in this route everyone can send sessions to delete without checking the session is theirs or not !!
server.route({
method: 'DELETE',
path: '/sessions/my/{id}',
config: {
auth: {
strategy: 'simple'
},
pre: [{
assign: 'current',
method: function (request, reply) {
const currentSession = request.auth.credentials.session._id.toString();
if (currentSession === request.params.id) {
return reply(Boom.badRequest('Unable to close your current session. You can use logout instead.'));
}
reply(true);
}
}]
},
handler: function (request, reply) {
const id = request.params.id;
Session.findByIdAndDelete(id, (err, session) => {
if (err) {
return reply(err);
}
if (!session) {
return reply(Boom.notFound('Document not found.'));
}
reply(session);
});
}
});i suggest replace it with this (to let user just can delete their sessions not for others too) :
server.route({
method: 'DELETE',
path: '/sessions/my/{id}',
config: {
auth: {
strategy: 'simple'
},
pre: [{
assign: 'current',
method: function (request, reply) {
const currentSession = request.auth.credentials.session._id.toString();
if (currentSession === request.params.id) {
return reply(Boom.badRequest('Unable to close your current session. You can use logout instead.'));
}
reply(true);
}
}]
},
handler: function (request, reply) {
const id = request.params.id;
const userId = request.auth.credentials.user._id.toString();
const filter = {
_id: new ObjectID(id),
userId
};
Session.findOneAndDelete(filter, (err, session) => {
if (err) {
return reply(err);
}
if (!session) {
return reply(Boom.notFound('Document not found.'));
}
reply(session);
});
}
});
Thanks. A PR is welcome.
Was this fixed in #190? or is there another reason why it is still open?
Thanks @gregfrasco