Skip to content

fix(security): prevent mass assignment in session creation endpoint#470

Open
KrutagyaKaneria wants to merge 1 commit into
Canopus-Labs:mainfrom
KrutagyaKaneria:fix/session-mass-assignment
Open

fix(security): prevent mass assignment in session creation endpoint#470
KrutagyaKaneria wants to merge 1 commit into
Canopus-Labs:mainfrom
KrutagyaKaneria:fix/session-mass-assignment

Conversation

@KrutagyaKaneria

Copy link
Copy Markdown

📋 Description

This PR strengthens the security of the session creation endpoint by preventing potential mass assignment during session creation.

✨ Changes Made

  • Removed the direct spread of req.body into the session document.
  • Explicitly selected only the allowed client-controlled fields before creating a session.
  • Ensured the authenticated user's ID is always used as the session owner and cannot be overridden by client input.
  • Updated the validation middleware to use the sanitized result returned by the schema validation.
  • Reviewed the session creation flow to ensure only validated input reaches the controller.

🔒 Security Benefits

  • Prevents unauthorized field assignment.
  • Eliminates the possibility of overriding server-controlled fields such as user.
  • Improves trust boundaries between client input and persisted data.
  • Establishes a safer coding pattern for future create/update operations.

🧪 Testing

  • Verified normal session creation still works.
  • Verified authenticated ownership is preserved.
  • Verified injected user fields are ignored.
  • Verified unknown fields are not persisted.
  • Verified existing frontend functionality remains unchanged.

Closes #464

#GSSoC
#ECSoC26

This PR is submitted as part of GirlScript Summer of Code (GSSoC) 2026.

This change restores compatibility for fresh Supabase database setups without modifying historical migrations. Kindly review and consider approving it if it aligns with the project's database maintenance and developer experience goals. Thank you for your valuable feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[SECURITY] Prevent Mass Assignment in Session Creation Endpoint

1 participant