-
Notifications
You must be signed in to change notification settings - Fork 4
Security
This page contains security topics that are already considered in JOR. Security is a very big topic. I cannot say JOR is very secure. It is very appreciated if you can report vulnerabilities.
JOR leverages mysql.js to connect with MySQL DB.
Every field is escaped using pool.escapeID,
and every value is escaped using pool.escape.
Thus, I would expect SQL injection is prevented when posting JSON messages to JOR.
By default, JOR has a build-in identification model. You can find existing entities like: person, permission, and authObject. If you want to leverage this build-in model, please use ui-logon. Refer the README to set up the identification solution which contains a logon page, identification Apps, and the server-end component.
After that, you can find the authorization object 'ENTITY' in the http://localhost:3000/auth-objects. The ENTITY authorization object has 3 fields: ENTITY_ID, RELATION_ID, and ACTION. You can use ENTITY authorization object to control which entities, which relations, and which actions are allowed for certain users. Please refer node-authorization on how to define authorizations.