Skip to content

fix(forum): derive topic author from JWT session instead of request body#269

Merged
omkarhole merged 1 commit into
omkarhole:mainfrom
anshul23102:fix/263-forum-author-impersonation
Jun 2, 2026
Merged

fix(forum): derive topic author from JWT session instead of request body#269
omkarhole merged 1 commit into
omkarhole:mainfrom
anshul23102:fix/263-forum-author-impersonation

Conversation

@anshul23102
Copy link
Copy Markdown
Contributor

@anshul23102 anshul23102 commented Jun 1, 2026

Summary

Closes #263

addForum in backend/controllers/forum.controller.js used req.body.user_id || req.body.user as the topic author. Any authenticated caller could supply a different user's MongoDB ObjectId in the request body and have the forum topic attributed to that user, with the victim's name shown as the author.

What Changed

backend/controllers/forum.controller.js only:

  • Replaced the client-supplied user_id/user fields with req.user.id || req.user._id (the verified JWT payload).
  • The author is now always the authenticated caller regardless of what the request body contains.

Testing

  1. Log in as User A. POST /api/v1/forums with user_id set to User B's ID. Verify the created topic shows User A as the author.
  2. Confirm the title and description are saved correctly.

Type of Change

  • Bug fix (security)

NSoC '26 contribution

@anshul23102
fix(forum): derive topic author from JWT session instead of request body
c1c3cc2 
Closes omkarhole#263

addForum read the topic author from req.body.user_id or req.body.user,
allowing any authenticated caller to supply another user's ObjectId and
have the topic attributed to that user. req.user (the verified JWT
payload) was never consulted.

Replace the client-supplied field with req.user.id so the author is
always the authenticated caller, regardless of what the request body
contains.
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 1, 2026

@anshul23102 is attempting to deploy a commit to the omkarhole's projects Team on Vercel.

A member of the Team first needs to authorize it.

@omkarhole omkarhole merged commit 17eab79 into omkarhole:main Jun 2, 2026
0 of 2 checks passed
@omkarhole omkarhole added NSOC'26 Issues for the NSOC 2026 program level1 3 points labels Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@anshul23102 anshul23102

Labels

level1 3 points NSOC'26 Issues for the NSOC 2026 program

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: addForum accepts client-supplied user_id as the forum topic author, allowing any authenticated user to impersonate another user

2 participants

@anshul23102 @omkarhole