Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review user data handling #344

Closed
aaronjudd opened this issue Mar 16, 2015 · 6 comments
Closed

Review user data handling #344

aaronjudd opened this issue Mar 16, 2015 · 6 comments
Assignees
Milestone

Comments

@aaronjudd
Copy link
Contributor

perform a full review of the storage and treatment of user data (ie: carts, accounts, sessions, emails)

Some ideas:

  • Encryption of all customer data (replace with plain text with encrypted data)
  • Add server side methods for reading/store, query encrypted records
  • add test for exposed customer data
@aaronjudd
Copy link
Contributor Author

Related to #283

@aaronjudd aaronjudd added ready and removed backlog labels May 13, 2015
@aaronjudd aaronjudd self-assigned this May 13, 2015
@aaronjudd aaronjudd removed their assignment Jul 24, 2015
@aaronjudd aaronjudd added backlog and removed ready labels Jan 13, 2016
@aaronjudd
Copy link
Contributor Author

Review this https://github.com/reactioncommerce/reaction/blob/development/packages/reaction-collections/server/publications/accounts.js#L56-L75 and specifically https://github.com/reactioncommerce/reaction/blob/development/packages/reaction-collections/server/publications/accounts.js#L78. Meteor.user is using https://github.com/meteor/meteor/blob/master/packages/accounts-base/accounts_common.js#L229. Account.server I think is the new multi-server implementation and seems to be returning more than would be expected in the client when reviewing console Accounts.user. Could be refactored to apply exported fields to all in the short term, and a larger refactor in adding public social profile data to ReactionCore.Collections.Accounts.

@aaronjudd aaronjudd added bug and removed backlog labels Jan 14, 2016
@aaronjudd
Copy link
Contributor Author

Note: I think the recommended approach here would be to remove this publication if possible, and rely on "Reaction.Accounts" but this would likely require a secure method of syncing those profile details, and replacing the functionality of utilities:gravatar, which might not be trivial - as discussed with @mikemurray and @newsiberian

@aaronjudd aaronjudd self-assigned this Jan 20, 2016
@newsiberian
Copy link
Contributor

I realized that we need to add DDPRateLimit to every method, which is accessible from client side. Now every of this methods can be looped that will be cause of server DDOS.
For example.

  • normally user can't call "cart/addToCart" more than, say, 1 time in 5 seconds and
  • he can't modify/add/remove his address more than 1 time in 2-5 seconds
    but not 600 times per seconds.

I think we need to think about each method. How often it could be called normally? And implement this rate limits.

@aaronjudd aaronjudd removed their assignment Mar 22, 2016
@aaronjudd aaronjudd added this to the v0.15.0 RC milestone Mar 22, 2016
@brent-hoover
Copy link
Collaborator

@Capt-Slow Josh, you and I should go over this ticket and extract some actionable items from it.

@brent-hoover
Copy link
Collaborator

I think the tickets created here cover the issues brought up in this ticket so this ticket is no longer needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants