Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CHECK_AUTH Query to Prevent Over-Fetching Sensitive PII #3108

Closed
sancheet230 opened this issue Jan 31, 2025 · 7 comments
Closed

Update CHECK_AUTH Query to Prevent Over-Fetching Sensitive PII #3108

sancheet230 opened this issue Jan 31, 2025 · 7 comments
Labels
bug Something isn't working unapproved Unapproved for Pull Request

Comments

@sancheet230
Copy link

Issue related to

PalisadoesFoundation/talawa-admin#3484

Description:

The CHECK_AUTH query in the talawa-api repository currently exposes unnecessary Personally Identifiable Information (PII) such as birthDate, phone.mobile, educationGrade, employmentStatus, and maritalStatus. This violates privacy best practices and regulatory standards (GDPR/CCPA).

Proposed Fix:

Minimize Fields: Update the CHECK_AUTH query to fetch only essential data for authentication (e.g., _id, email, firstName, image).
Field-Level Permissions: Use GraphQL directives (e.g., @auth) to restrict access to sensitive fields.
Backend Validation: Ensure resolvers enforce access control.

Revised Query Example:

query CHECK_AUTH {  
  checkAuth {  
    _id  
    firstName  
    email  
    image  
  }  
}

Impact:

Prevents unauthorized exposure of PII.
Ensures compliance with GDPR/CCPA.
Reduces attack surface by limiting sensitive data exposure.
@sancheet230 sancheet230 added the bug Something isn't working label Jan 31, 2025
@github-actions github-actions bot added the unapproved Unapproved for Pull Request label Jan 31, 2025
@github-actions GitHub Actions
Copy link

Congratulations on making your first Issue! 🎊 If you haven't already, check out our Contributing Guidelines and Issue Reporting Guidelines to ensure that you are following our guidelines for contributing and making issues.

@sancheet230
Copy link
Author

I am already working on this issue check here I just have to do some changes in backend code first to solve the issue so kindly assign me

@sancheet230
Copy link
Author

@palisadoes @Cioppolo14 I have completed all the changes required in backed to solve whole issue so you can assign me so that I can raise a PR for the same.

@sancheet230 sancheet230 mentioned this issue Jan 31, 2025
Closed
@palisadoes
Copy link
Contributor

Which branch is this for?

@sancheet230
Copy link
Author

@palisadoes main branch

@palisadoes
Copy link
Contributor

We are focusing on the develop-postgres branch.
This will need to be closed

@palisadoes palisadoes closed this as not planned Won't fix, can't repro, duplicate, stale Jan 31, 2025
@sancheet230
Copy link
Author

@palisadoes ok I will stick with develop-postgres branch from now on thanks for clarification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working unapproved Unapproved for Pull Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@palisadoes @sancheet230