Endpoint security vulnerability?

Hi everyone!

I have a general API question here.

So, the way I understand the approach, there are two layers of data access protection with Strapi – the roles and the JWT token.

Let’s say I’m a user, was able to log in, so therefore able to see my JWT token via the browser headers. What if I do a:
GET /profiles (where profiles is connected to the users table) and attach my JWT token. I will be able to see everything on the profiles table, correct? Isn’t that considered a security issue? A user can browse through the records that are assigned to other users using the token that is only assigned to a particular user?

1 Like

Would love to know too

  1. GET /profiles, limit it to admin roles only, in case you don’t want simple users to access it.
  2. If you want the users to be able to access it but to get only the records that are assigned to the user, then use policies and create a custom controller that will return the records only for the user who requested it.

I will second @sunnyson here, policies is what you use to provide server-side, pre-controller logic-based limitations.