https://www.prisma.io/ logo
Join Slack
Powered by
what if a user get JWT token from inspecting HTTP ...
# orm-help
j
what if a user get JWT token from inspecting HTTP request of browser, and fake a request to modify another user's resource?
l
that would be bad
j
so how to avoid this problem?
from postgrest's doc, it uses row-level-security configuration of database. I didn't find relative information about this for prisma.
l
You can't really do much if a random user can access the browser of another user, if he can open the site, console, and have access to everything there's no much to do
But, you can avoid CSRF attacks by not allowing the browser to authenticate the requests (just using a bearer token with a custom header does the work)
you can also use a short live access token so if someone somehow has access to the info of the request he will only have access for some minutes
and you can also do IP/location/browser validations so if the access token is used in a different environment it will fail
but that can be overwritten easily
Having 
httpOnly
and 
secure
cookies (HTTPS) also helps 👍
j
I mean some user inspect HTTP request of his own browser, get the token, fake a request, change another user's resource.
JWT token specify which action can the client do. set no limit to row level access.
l
it should not be possible, first a JWT payload can't be changed, and it should be linked to a single user and only allow the actions allowed by its own payload, so no problem there
j
a user get his token. he is allowed to create post. he create a post in name of other user. here prisma do check if user is allow to create post. but the faked creation will pass. So programmer must check it before sending request to prisma.
postgrest use database feature 
Row-level-security
to do this work.
I didn't find any relative information for prisma
So I would have to write code to check if request is legal if I am using prisma to setup service
or I can setup RLS like for postgrest.
3 Views
Open in Slack
PreviousNext
Powered by