feathers-auth-mgmtBest Practices
Security
- The user must be authenticated when the short token is used, making the short token less appealing as an attack vector.
- The long and short tokens are erased on successful verification and password reset attempts. New tokens must be acquired for another attempt.
- API parameters are verified to be strings. If the parameter is an object, the values of its props are verified to be strings.
options.identifyUserPropsrestricts the property names allowed in param objects.- In order to protect sensitive data, you should set a hook that prevent
PATCHorPUTcalls on authentication-management related properties:
javascript
// users.hooks.js
before: {
update: [
disallow("external")
],
patch: [
iff(isProvider('external'), preventChanges(
true,
'isVerified',
'resetExpires'
'resetShortToken',
'resetToken',
'verifyChanges',
'verifyExpires',
'verifyShortToken',
'verifyToken',
)),
],
},// users.hooks.js
before: {
update: [
disallow("external")
],
patch: [
iff(isProvider('external'), preventChanges(
true,
'isVerified',
'resetExpires'
'resetShortToken',
'resetToken',
'verifyChanges',
'verifyExpires',
'verifyShortToken',
'verifyToken',
)),
],
},