I have been using feathers.js for sometime now and there's something I can't find after looking around. How do you prevent authenticated users from seeing all the users?
when I do a GET with postman on my /users route, if I'm authenticated, I will receive all the users registered on the app. How do I prevent this. I have tried returning my own custom responses, but this seems to block the /authentication route.
Any help will be appreciated as feathers is really nice to work with.
Currently feathers-authentication-hooks is the best way to limit queries, most commonly used to associate the current user. So in order to limit all requests to the currently authenticated user you would do this:
const { authenticate } = require('@feathersjs/authentication');
const { setField } = require('feathers-authentication-hooks');
app.service('users').hooks({
before: {
all: [
authenticate('jwt'),
setField({
from: 'params.user.id',
as: 'params.query.id'
})
]
}
})