I'd love to know if this method I'm using is secure enough to use on a public project, since I can't really find any other way to retrieve my id from my currently logged in user, but it's a fairly straightforward method , I find. If this method is not secure would it be possible to have a way to proceed? Thanks in advance.

I have a button for example when I use the send of the html that there is inside my div userid on the server to then use this information to make SQL queries from my app.js server.

I use socket.io hbs express node js jwt mysql

From my pages.js file generated with the express library where the main roads of my website are located, I send my user ID.

router.get('/accueil', authController.isLoggedIn, (req, res) => {
    if(req.user) {
        res.render('./accueil', {
            data: req.user.id
        });
    } else {
        res.redirect('/');
    }
});

With Handlebars I display this data in my index.hbs (display: none;).

<div id="iduser">{{data}}</div>

Then I get my iduser div on my client.js

let userid = document.getElementById('iduser').innerHTML;

// (My method to display this div)

socket.on('uid', (data) => {
    pargent.innerHTML = JSON.stringify(data.data[0].argent);
})

//

So I want to use this userid variable to make SQL queries from my app.js. (let userid = document.getElementById('iduser').innerHTML;)

I am using socket.io for communication between client and server to send my userid data

Example :

db.query('UPDATE users SET money = money   ? WHERE id = ?', [100, theUserId]);

CodePudding user response：

No

Never trust user supplied data.

References:

• https://www.oreilly.com/library/view/http-developers-handbook/0672324547/0672324547_ch22lev1sec1.html
• https://flylib.com/books/en/1.290.1.90/1/
• https://www.garybell.co.uk/never-trust-user-input/
• https://medium.com/@berniedurfee/never-trust-a-client-not-even-your-own-2de342723674
• https://www.invicti.com/blog/web-security/input-validation-errors-root-of-all-evil/
• https://laravel-news.com/never-trust-your-users
• https://www.wearenova.co.uk/nova-blog/when-it-comes-to-online-security-why-you-should-never-trust-a-client

CodePudding user response：

It depends on your authController.isLoggedIn logic, But I would like to suggest an alternative solution simple as that;

iron-session

Read their docs, it's matches your use case and easy to use; here is equivalent of the snippet you provided with iron session:

//initiate session middleware yourself
router.use(session)

// later here
router.get('/accueil', (req, res) => {
    if(req.session.user) {
        res.render('./accueil', {
            data: req.user.id
        });
    } else {
        res.redirect('/');
    }
});