From e7a42c677276eceead0dfad6e8d0bb8d667fc25c Mon Sep 17 00:00:00 2001 From: samuela Date: Thu, 24 Jan 2019 10:36:49 -0800 Subject: [PATCH] community: encourage good security in email checking (#1421) The current regex is vulnerable to all sorts of attacks: `foobar.com@gmail.com` or `jim@asdffoobar.com`. --- community/sample-apps/todo-auth0-jwt/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/sample-apps/todo-auth0-jwt/README.md b/community/sample-apps/todo-auth0-jwt/README.md index 43df5b209178f..da5c3490d6726 100644 --- a/community/sample-apps/todo-auth0-jwt/README.md +++ b/community/sample-apps/todo-auth0-jwt/README.md @@ -21,7 +21,7 @@ function (user, context, callback) { { 'x-hasura-default-role': 'user', // do some custom logic to decide allowed roles - 'x-hasura-allowed-roles': user.email.match(/foobar.com/) ? ['user', 'admin'] : ['user'], + 'x-hasura-allowed-roles': user.email === 'admin@foobar.com' ? ['user', 'admin'] : ['user'], 'x-hasura-user-id': user.user_id }; callback(null, user, context);