Security - create submission

[songz]

After I login on c0d3 cli using c0d3 login:

1. print out ~/.c0d3/credentials.json
2. base64 decode it. Notice that it is an object with id and token.

Looking at our mutation for creating submission, it seems like we are just decoding the cliToken and getting the id field to use as user's id.

Problem: So if I was a malicious user, I could simply change the id in the file and then submit as any user I want.

Here's how I would do it.

1. Base64 encode: {id: <hackedUserId>} - Seems like cliToken isn't even used so we don't even need that.
2. Paste the base64 string into ~/.c0d3/credentials.json
3. Submit.

---

Proposal:

1. In my experience, tokens should be sent in the request header. Perhaps similar to chatroom jwt auth in js5. Bearer Authorization type seems reasonable because bearer token means an opaque string, not intended to have any meaning to clients using it.
2. In our user middleware, check to see if user's Authorization Header is present. If so, lookup user by the cliToken field, which should be indexed for fast lookups, and populate req.user object based on the cliToken.
3. remove cliToken check from create submission and simply use req.user object.

---

Other thoughts

We ideally also want to remove cliToken from createSubmission typeDef but that may break all existing c0d3 CLI.

Perhaps we could create an announcement, giving 1 week to upgrade?

Maybe we should have this issue looked into as well so we are better prepared for potential CLI breakage in the future.