Is the user_id sensitive information?


#1

So I’m thinking about allowing my users to share a URL of their stuff. The thing is - their user_id is in it. Can the user_id be used by someone else (not logged in) to log in? I know they don’t have the password but maybe maybe they can use the user_id to manipulate the logged-in-token in local storage?


#2

It is not an attack vector unless you explicitly use to access sensitive information.

Basically, as long as you don’t pass the user id around as a parameter to methods or publications you’re off to a good start.

@pcorey has an excelent blog where he frequently shares valuable information scoped mostly to meteor security. Do read through his articles and you’ll know what not to do with user id information :smile:


#3

Hi! @serkandurusoy Yes @pcorey has got some solid advice on security but I can’t seem to find anything on sharing the user_id.

So yeah don’t use a passed user_id from the client - always use this._id on the server. Then I’ll be good right?


#4

you dont need any userId if you got token, it will be sent to you over DDP.


#5

don’t use a passed user_id from the client - always use this._id on the server. Then I’ll be good right?

yep! that’s about it. you should also audit the packages you bring in to your app so that they are not doing anything funky.


#6

Hey @pokus,

There’s nothing wrong with exposing a userId in a route. There’s nothing sensitive about the ID in particular.

Just be sure that you’re correctly authorizing the current user (this.userId) in your methods and publications, verify that the current user has permission to view/update the target user, and check that the passed in target user’s ID is a String: check(user_id, String);

Exposing userIds is really only an issue if you have some other vulnerability that requires a userId. For example, in this post I talk about a vulnerable method that took in the current userId as a parameter to the method. If you know an admin’s userId, you could effectively spoof admin rights. It’s all about information aggregation.


#7

Can a non-logged-in user get a token without a username and password?


#8

Yes I am using audit. Check!


#9

Cool. That’s what I was wondering. Yes never trust user_id from the client and always validate your args. Should be printed on a meteor t-shirt :wink: