0

I have been using feathers.js for sometime now and there's something I can't find after looking around. How do you prevent authenticated users from seeing all the users?

when I do a GET with postman on my /users route, if I'm authenticated, I will receive all the users registered on the app. How do I prevent this. I have tried returning my own custom responses, but this seems to block the /authentication route.

Any help will be appreciated as feathers is really nice to work with.

Youzef
  • 616
  • 1
  • 6
  • 23

2 Answers2

1

Currently feathers-authentication-hooks is the best way to limit queries, most commonly used to associate the current user. So in order to limit all requests to the currently authenticated user you would do this:

const { authenticate } = require('@feathersjs/authentication');
const { setField } = require('feathers-authentication-hooks');

app.service('users').hooks({
  before: {
    all: [
      authenticate('jwt'),
      setField({
        from: 'params.user.id',
        as: 'params.query.id'
      })
    ]
  }
})
Daff
  • 43,734
  • 9
  • 106
  • 120
  • Thanks @Daff. It works ok for the get method, not the post. Do I need to do a map function, because the post method returns more than one result? – Youzef Dec 07 '21 at 18:44
  • The post would create a new record. If you want to limit the created record to the user you would use a hook like shown in the chat guide (https://docs.feathersjs.com/guides/basics/hooks.html#sanitize-new-message). – Daff Dec 07 '21 at 21:01
  • Ok. Please bear with me.. if i have another route/service, say `/notifications` Now I would like to do a find(to return all the notifications belonging to this specific user). I have set it up exactly as the above example in `notifications .hooks.js` A postman request still returns all the notifications including those that belong to other users. However on a GET request it behaves ok and won't return any notifications belonging to other users. – Youzef Dec 07 '21 at 23:03
  • Ok, never mind. I had modified the `notifications.class` file. Thats why – Youzef Dec 09 '21 at 15:25
0

You can use limit and skip parameters. So when you do the FIND (GET) request, send also limit: 5, skip: 0. This is a way to do a pagination in feathersjs.

You can check it here: https://docs.feathersjs.com/api/databases/common.html#pagination

Or, if you want to set default values for pagination of the certain service, you can do it in the initialization phase, like this:

app.use('/users', service({
  paginate: {
    default: 5,
    max: 25
  }
}));
Lazar Nikolic
  • 4,261
  • 1
  • 22
  • 46
  • But if someone still goes to the `/users` route on postman, the response always comes with the data, paginated or not... or is the something i'm missing here. I'm sure the must be a way to prevent this? – Youzef Nov 08 '21 at 11:35
  • I have updated my answer to answer to your question in the comment. If this has solved your issue, please consider marking my answer as the correct one. – Lazar Nikolic Nov 08 '21 at 11:41
  • Thanks for your help so far. but i haven't solved the problem yet. I do not want to paginate the response from the server. What I want is that there should not be any sensitive information returned from the server and if something must be returned, then info for the user making the request in postman. This is for security purposes. I don't know if I'm passing the idea across correctly – Youzef Nov 09 '21 at 07:47
  • No you are not. Your initial question was about something else. If you want to strip away user sensitive information from the returned data you should do it in the after hook of the users call. You should either close this question or rephrase it. Also go through this link: https://stackoverflow.com/help/how-to-ask – Lazar Nikolic Nov 09 '21 at 08:38