moleculer-db based services are not secured by default when gateway is autoaliasing

Question

moleculer-db based services are not secured by default when gateway is autoaliasing

gautaz opened this issue 3 years ago · 3 comments

Hello,

When using the moleculer-db mixin, all CRUD actions are exposed by default when moleculer-web route is configured with autoalias=true.

This point has already been pointed out by #174 but it feels like something is exposed by default that the user is not aware of.
This could lead to unwanted actions exposure.

I understand that modifying the default behavior now is a breaking change.
Is this still debatable or can we at least consider adding a moleculer-db setting that would disable this behavior?

Another way out would be to define a default action visibility setting at the service level.

@icebob How do you feel about this?

Answer 1 · 2022-01-08T10:02:28.000Z

Hi @gautaz,

I don't plan to add it, because I'm working heavily on the successor database module which support it. But PRs are welcomed, of course.

By the way, I strongly recommend to use whitelist feature in API gateway to handle the published services. It protects you to publish unwanted services.

Answer 2 · 2022-01-19T13:09:16.000Z

Hi @gautaz @icebob,

Just saw this issue, so sorry for late reply. In case you still need to solve this we did it like this - create a separate mixin (we called it dbSecureWrapper.js for inspirational purposes) and inside it we have this code (sorry for bad formatting, mobile github is a pain):

letDbService = require("moleculer-db");

module.exports = function (publishRest = false) {
     if (!publishRest) {
          Object.keys(DbService.actions).forEach(function (actionKey) {
               if (DbService.actions[actionKey].rest) {
                    delete DbService.actions[actionKey].rest;
               }
          });
     }
     return DbService;
};

Which basically just wraps moleculer-db and kills all the rest routes (thus you have to define them manually). You just include it in mixins instead of moleculer-db and then you have to publish your routes manually, thus enabling you to secure them one by one.

Answer 3 · 2022-01-21T10:00:54.000Z

Hi @drone12,

Thanks for the input.

For now we're basically sticking to @icebob's advice, we already have a certain amount of moleculer-db based services and did not want to modify them all at once.
Luckily (well that's not really luck but more of a design decision), all these services have names responding to a particular pattern that we can use in the whitelist (a regex excluding these names, then we can re-add their actions one by one to the whitelist depending on our needs).

I am looking forward for the release of https://github.com/moleculerjs/database :-).