Read foreign messages bug

[bogatyr285]

Hi!
You made a good example of chat application but there are one thing with route '/api/conversation/:id'. Everyone can read messages from everyone because there is no verification on 'who is the sender'.

MongoDB has sequence in ID's. For example: ...0e801,...0e802 etc. Its means that this ID's is very easy to bruteforce.
And everyone can make a requests with own token and will get messages from other conversation. That's not good.

Have a nice day!

[nikkanetiya]

Hello @bogatyr285, thanks for pointing out, yes absolutely anyone can easily read any conversations, this is just for initial demo purpose but agree we should put conditional validation to validate a user for any conversation, will change it next in free-time and looking forward to expanding a bit more in future.