I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
Thanks for sharing your toughs on Authentication, but please don't role your own Authentication/Authorization, instead use battle proved solutions in the community.
Why, you may ask?
Because this are very security sensitive things that can easily go wrong, like you have just have done here in your solution.
What did I do wrong?
Well to start with you should NEVER return the user data like the password hash, this is a terribly bad thing to do from any perspective you may look into it, plus returning the _id is also not advisable.
Some other things are not quite ok as well, but I let that as an exercise for you to figure out. To help you with that I recommend you to read the OWASP API Security Top 10, and afterwards I hope that you will see that you are incurring in some of the top 10 security risks.
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks for sharing your toughs on Authentication, but please don't role your own Authentication/Authorization, instead use battle proved solutions in the community.
Why, you may ask?
Because this are very security sensitive things that can easily go wrong, like you have just have done here in your solution.
What did I do wrong?
Well to start with you should NEVER return the user data like the password hash, this is a terribly bad thing to do from any perspective you may look into it, plus returning the
_idis also not advisable.Some other things are not quite ok as well, but I let that as an exercise for you to figure out. To help you with that I recommend you to read the OWASP API Security Top 10, and afterwards I hope that you will see that you are incurring in some of the top 10 security risks.