GraphQL Mutation for authenticated users to modify their username/email security risks

System Information
  • Strapi Version: 4.8.2

Hello,

I created a custom GraphQL mutation in order to allow users on a website to update their own locale and email/username.

I’m trying to wrap my head around whether how I’ve implemented this is a security risk since I’m using the core user update controller on the users & permissions plugin. The permissions for update are blocked for all user types.

Basically, on the mutation, the resolver checks if the request contains the user. I’m assigning the state user id to the request and passing it to the controller. In theory, this passes the data to be changed for the auth user.

Would that be enough ? Would I need to implement a policy or a middleware to double check other issues I’m not thinking about ?

Thanks !

extensionService.use(({ nexus }) => ({
      types: [
        nexus.objectType({
          name: 'UpdateMePayload',
          definition(t) {
            t.nonNull.field('me', { type: 'UsersPermissionsMe' });
          }
        }),
        nexus.mutationType({
          name: 'UpdateMe',
          definition(t) {
            t.field('updateMe', {
              type: nexus.nonNull('UpdateMePayload'),
              args: {
                email: 'String',
                locale: 'ENUM_USERSPERMISSIONSUSER_LOCALE',
              },
              description: 'Update the current user locale',
              resolve: async (parent, args, context) => {

                const { koaContext, state } = context;

                if (!state.user) {
                  throw new ForbiddenError('There is no user logged in');
                }

                // add username if email is provide to the update
                if (args.hasOwnProperty('email')) {
                  args = { ...args, username: args.email };
                }

                // pass the auth user id to the koaContext params for the update in the controller
                koaContext.params = { id: state.user.id };

                // pass the aruments to the koaContext body for the update in the controller
                koaContext.request.body = toPlainObject(args);

                await strapi.plugin('users-permissions').controller('user').update(koaContext);

                const output = koaContext.body;

                checkBadRequest(output);

                return {
                  me: output,
                };
              }
            })
          }
        })
      ]
    }));