Fix broken Access Control

[jeagercoder]

Security report

Describe the bug

No access control implemented, the user data update endpoint is not authenticated so anyone can change any user data

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

I found a lot of logic that does not implement access control, one of which is:

const submission = parse(formData, { schema: schemaUserFullName })
    if (!submission.value) return json(submission, { status: 400 })
    await modelUser.updateFullName(submission.value)
    await timer.delay()
    return json(submission)

curl 'https://bandungdev.com/user/settings?_data=routes%2Fuser.settings' --data-raw 'id=userId&intent=user-change-fullname&fullname=Hacked by jeager'

Reference

OWASP Broken Access Control

[mhaidarhanif]

Thanks @jeagercoder for the security report.

We'll fix to put all the important route loaders/actions to include the authorization access control.

In the meantime I've restored the backup already.

References:

• "All the loaders if they return protected data, each one is an individual endpoint that needs to be protected" - https://x.com/jacobmparis/status/1810553326464880962