0
votes

My webapp has means of abuse, users can access things they're not supposed to, such as 127.0.0.1/users/1 & 127.0.0.1/users/2 & 127.0.0.1/users/3 and so on, within these it reveals the user's registration email, ip, etc (via JSON, so the web server can return customized messages, greetings, and allow users to edit account data within profile settings)

This is what my route looks like:

forum.GET("/users/:user_id", routeFunc(UsersGET))

I'm using Gin-Gonic HTTP framework to create a dummy forum, can someone tell me how to stop users from accessing the /users/ route whilst allowing the actual web server to use freely? and maybe link me to the correct direction. Thanks!

(The server uses it to return things like, Welcome Back, USERNAME).

1
Either add authentication to the route in your code to prevent requests not from the authorized user or from an upstream server (which must authenticate), or override accesses to /users in your web server to prevent external clients using it. For example, in nginx, you could add a specific route and annotate it as internal.Cosmic Ossifrage
@CosmicOssifrage thanks! Will check nginx docs. Can you also link me to something about adding auth to a route in gin-gonic? That would be the more ideal solution.ilovejq
gin-gonic has a built-in HTTP basic auth middleware here. There are many third-party solutions too. If you want to use an alternative authentication mechanism, that would be more specific to your use case/requirements and might be better handled in a separate question so the nuances of implementing auth can be dealt with too.Cosmic Ossifrage

1 Answers

0
votes

You need to add authentication and authorization to your server.

Authentication is where a user will prove their identity to you by means of a shared secret (like a password hash) and authorization is where you check if that authenticated user is allowed to take the action they are trying to make.

There are many third party services that might help you with this (e.g. Auth0) where they can handle authentication for you and provide you with libraries for authorization.

Usually people bind authentication into their Gin-Gonic server by means of middleware (e.g. gin-jwt) which is run in front of every http request. Once that middleware authenticates the user, you can add some logic to your handle that states only users can only view themselves.

Hope this helps. Good luck.