Open
Description
After generating the code using the latest template
i found the isAuthenticated function using query parameters for access_token
is it safe.. ? assuming that this is not safe why it is implemented in this way ?
and what scenarios it is used for ?
any comments?
export function isAuthenticated() {
return compose()
// Validate jwt
.use(function(req, res, next) {
// allow access_token to be passed through query parameter as well
if(req.query && req.query.hasOwnProperty('access_token')) {
req.headers.authorization = `Bearer ${req.query.access_token}`;
}
// IE11 forgets to set Authorization header sometimes. Pull from cookie instead.
if(req.query && typeof req.headers.authorization === 'undefined') {
req.headers.authorization = `Bearer ${req.cookies.token}`;
}
validateJwt(req, res, next);
})
// Attach user to request
.use(function(req, res, next) {
User.findById(req.user._id).exec()
.then(user => {
if(!user) {
return res.status(401).end();
}
req.user = user;
next();
})
.catch(err => next(err));
});
}
Why this is there why is the token being checked in the query parameters.. ?
I commented this bit of code and it is still working fine
if(req.query && req.query.hasOwnProperty('access_token')) {
req.headers.authorization = `Bearer ${req.query.access_token}`;
}