Documentation mentions htsApp should pass the poster's username in the payload. i.e.
{
"heading": "a heading for the posting",
"body": "body of the posting",
"expires": "2015/01/31",
"username": "brozeph"
}
For security purposes should the posting-API validate the user's session cookie and lookup the username on server-side? OR return 'please sign in' if user is logged out?
My original posting API looked like:
exports.savePost = function(req, res){
//Grab payload out of req.body
var newPost = req.body;
//Server validates user is logged in and grabs their username. Adds to payload.
newPost.seller_username = req.user.user_settings.name;
//Use htsPost model and save payload to mongo
var htsPost = new HTSpost(newPost);
htsPost.save(function (err) {
if (err) {
res.send({success: false, error: err});
} else {
res.send({success: true});
}
});
}
Documentation mentions htsApp should pass the poster's username in the payload. i.e.
For security purposes should the posting-API validate the user's session cookie and lookup the username on server-side? OR return 'please sign in' if user is logged out?
My original posting API looked like: