Authorization check flaw: 'post' mutation does get invoked when no headers provided #84
Comments
|
Hi @steelcracker, so I think one extra check is required before calling Such as: const { userId } = context;
if (userId === null) throw new Error("Not Authenticated");So now this won't give error. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On step 6-authentication there is an explanation that there will be an error indicating that the user was not authenticated:
This is only true if there is an authorization header present.
But if you post a mutation without any headers set, then
getUserId()never gets invoked in the first place due to:graphql-js/src/index.js
Lines 39 to 42 in e0a3a21
so the code never gets to the line
graphql-js/src/utils.js
Line 24 in e0a3a21
and the
context.userIdis just silently set to null. The code will proceed further and invoke the post mutation. To be honest, it won't succeed though, but due to another errorwhich is a strange misleading Prisma's error due to the null userId value at
graphql-js/src/resolvers/Mutation.js
Line 12 in e0a3a21
(by strange I mean we've set Prisma's schema to
postedBy User?earlier in the tutorial, which suggests that User could actually be null, and by misleading - there is no such postedBy arg complaint when using valid userId, so ideally prisma's error should tell that it doesn't accept null inside suchconnectdirective)So to conclude, there is a potential flaw with such an authorization check.
The text was updated successfully, but these errors were encountered: