I have a MongoDB of users, each user has property that is user. Users can register, and they get default role of user, but in admin panel, you can create other admins. The problem is I have no idea how to protect from somebody just getting the POST route for creating an user, and just setting the role property as admin and post it with Insomnia for example. Any ideas how to prevent this ?
B.G.
The answer that i can think of is using JWT tokens. Not sure how you can do this with passport.js but you can do it like that :
Only admin user could be able to create an admin account on Web (since you dont wanna create it with using default user account ->just hide the button/option from other users)
You can put info in JWT token (Hence you can add admin-role in JWT to seperates admin request from others or username is enough, you can check the user's role after getting username info from token and get the role from mongo.)
Only an admin can have JWT Token with admin-role. ( JWT token is created when user logged in. You basically hide user's(the one just loged-in) info into the token.)
Put a middleware that anyone does not have JWT token (or have it but not admin role ) cant get into the next().Otherwise return 403.If you let them pass with JWT token only you have to control if the user's role is admin inside the function.
コメントを追加