Is there any way to get this running on AlmaLinux 9?
The npm install fails with lots of errors, wrong paths and many other issues, even after I tried to manually install all the required npm packages.

'PROTOCOL_CONNECTION_LOST' error occured when creating mysql database for DVWS,pl help me to fix it,thankyou

┌──(kali㉿kali)-[~/dvws-node]
└─$ node startup_script.js

[+] Creating MySQL database for DVWS....
/home/kali/dvws-node/startup_script.js:22
if (err) throw err;
^

Error: Connection lost: The server closed the connection.
at Protocol.end (/home/kali/dvws-node/node_modules/mysql/lib/protocol/Protocol.js:112:13)
at Socket. (/home/kali/dvws-node/node_modules/mysql/lib/Connection.js:94:28)
at Socket. (/home/kali/dvws-node/node_modules/mysql/lib/Connection.js:526:10)
at Socket.emit (events.js:326:22)
at endReadableNT (_stream_readable.js:1241:12)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
--------------------
at Protocol._enqueue (/home/kali/dvws-node/node_modules/mysql/lib/protocol/Protocol.js:144:48)
at Protocol.handshake (/home/kali/dvws-node/node_modules/mysql/lib/protocol/Protocol.js:51:23)
at Connection.connect (/home/kali/dvws-node/node_modules/mysql/lib/Connection.js:116:18)
at Object. (/home/kali/dvws-node/startup_script.js:21:12)
at Module._compile (internal/modules/cjs/loader.js:999:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)
at internal/main/run_main_module.js:17:47 {
fatal: true,
code: 'PROTOCOL_CONNECTION_LOST'
}

I will caveat this with I'm fairly new to this type of work.

I've downloaded the Docker container to an AWS Linux2 host and have used the docker-compose.yml file to launch.

I understand there is no default user to logon with (or at least there is no information regarding a default admin logon / or if there is - it doesn't work!). With help from a colleague who knows more about this than I, we tried to use the details on the mass-assignment page to create an admin user. Unfortunately this was unsuccessful.

We also tried using curl, without success, getting a status 500 error

curl -f -d "username=foobar2&password=foobar2&admin=true" -H "Content-Type: application/x-www-form-urlencoded"  -X POST http://_**<IP_OF_HOST>**_/api/v2/users
curl: (22) The requested URL returned error: 500

curl -f -d "username=newuser&p@ssw0rd=foobar2&admin=true" -H "Content-Type: application/x-www-form-urlencoded"  -X POST http://_**<IP_OF_HOST>**_/api/v2/users
curl: (22) The requested URL returned error: 500

I would appreciate ANY help in getting started with this application.....

Many thanks,

Simon.

web_1 | /home/dvws-node/node_modules/bindings/bindings.js:91
web_1 | throw e
web_1 | ^
web_1 |
web_1 | Error: /home/dvws-node/node_modules/libxmljs/build/Release/xmljs.node: invalid ELF header
web_1 | at Object.Module._extensions..node (node:internal/modules/cjs/loader:1189:18)
web_1 | at Module.load (node:internal/modules/cjs/loader:981:32)
web_1 | at Function.Module._load (node:internal/modules/cjs/loader:822:12)
web_1 | at Module.require (node:internal/modules/cjs/loader:1005:19)
web_1 | at require (node:internal/modules/cjs/helpers:102:18)
web_1 | at bindings (/home/dvws-node/node_modules/bindings/bindings.js:84:48)
web_1 | at Object. (/home/dvws-node/node_modules/libxmljs/lib/bindings.js:1:37)
web_1 | at Module._compile (node:internal/modules/cjs/loader:1105:14)
web_1 | at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
web_1 | at Module.load (node:internal/modules/cjs/loader:981:32) {
web_1 | code: 'ERR_DLOPEN_FAILED'
web_1 | }
web_1 | [nodemon] app crashed - waiting for file changes before starting...

After I clone the repository, I ran docker-compose up to start the containers but I noticed that the MySQL container is failing. Here's the error message:

dvws-mysql_1 | 2022-05-04 19:56:20+00:00 [ERROR] [Entrypoint]: mysqld failed while attempting to check config dvws-mysql_1 | command was: mysqld --verbose --help --log-bin-index=/tmp/tmp.DDbkKPQT96
After this, the web container continually just waits for the MySQL instance to come up, which it never does. I tried to use several different MySQL versions between 5.6 and 5.7 but all had the same error

Where can I see all api & service?

@snoopysecurity first things first I want you to know that this application is pretty awesome!

Secondly, I wanted to point out that you actually have a stored "Client Side SSTI" issue when you create a user with the following payload as their username {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}.

I figured you could add this to your wiki located at https://github.com/snoopysecurity/dvws-node/wiki .

Cheers,
GromHacks

POST /api/v2/export HTTP/1.1
Host: dvws.local
Content-Length: 146
accept: application/json; charset=utf-8
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJwZXJtaXNzaW9ucyI6WyJ1c2VyOnJlYWQiLCJ1c2VyOndyaXRlIiwidXNlcjphZG1pbiJdLCJpYXQiOjE2NTkzMDk3NzQsImV4cCI6MTY1OTQ4MjU3NCwiaXNzIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nub29weXNlY3VyaXR5In0.3tRmhuvBy609M8WSRMdRVExdSbrwHN7sGvWMgdZ0jG8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/json
Origin: http://dvws.local
Referer: http://dvws.local/api-docs/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{
"rce": "_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\n }()"}

Getting:

HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Access-Control-Allow-Origin: http://dvws.local
Vary: Origin
Access-Control-Allow-Credentials: true
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 1782
Date: Sun, 31 Jul 2022 23:40:23 GMT
Connection: close

TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined
    at new NodeError (node:internal/errors:372:5)
    at Function.from (node:buffer:323:9)
    at export (/home/dvws-node/controllers/passphrase.js:76:22)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/dvws-node/node_modules/express/lib/router/route.js:144:13)
    at validateToken (/home/dvws-node/utils.js:18:9)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/dvws-node/node_modules/express/lib/router/route.js:144:13)
    at Route.dispatch (/home/dvws-node/node_modules/express/lib/router/route.js:114:3)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
    at /home/dvws-node/node_modules/express/lib/router/index.js:284:15
    at Function.process_params (/home/dvws-node/node_modules/express/lib/router/index.js:346:12)
    at next (/home/dvws-node/node_modules/express/lib/router/index.js:280:10)
    at Function.handle (/home/dvws-node/node_modules/express/lib/router/index.js:175:3)
    at router (/home/dvws-node/node_modules/express/lib/router/index.js:47:12)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)

Hello,
I'm able to logon dvws at http://dvws.local/home.html#admin), however in the Home area "All Accessible Areas can be found here" is blank nothing listing vulnerabilities. I'm able to access Note, Public Notes Search,and Passphase Gen. Also, I'm not getting any errors in npm run dvws.

Thanks

/api/v2/passphrase is not exposed in the swagger file, nor dvwsuserservice (which is a SOAP API call independent from the REST API)

"Multiple API calls can be found by parsing this swagger endpoint which cannot be found by simply browsing the application. "#
It's actually the other way around: this call is not in the swagger file but it is used by the application when saving a generated passphrase.

I have used multiple virtual machine tests, but I still can't start them
It prompts SH: 1: NPM: Not found, I don't know how to fix it

It did not launch successfully

I hope to get your help

try to run 'docker-compose up' in my macbook but observed the following error,
[+] Running 0/3
⠴ dvws-mysql Pulling 5.6s
⠴ dvws-mongo Pulling 5.6s
⠿ web Warning 5.5s
no matching manifest for linux/arm64/v8 in the manifest list entries

I used the docker version

this is the bug :

pull access denied for snoopysecurity/dvws-node, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

I am using the Docker version.
It looks like different users cannot see other users' notes even when they were created as "public".
And more importantly IDOR is not working in a sense that GET /api/v2/notes/[id] always returns an error whether or not a note with that ID exists:
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: application/json; charset=utf-8
Content-Length: 220
ETag: W/"dc-pxxTOZHl1i2VvdMk6ROXXUByq18"
Date: Thu, 23 Jun 2022 23:52:40 GMT
Connection: close

{"stringValue":""0"","valueType":"string","kind":"ObjectId","value":"0","path":"_id","reason":{},"name":"CastError","message":"Cast to ObjectId failed for value "0" (type string) at path "_id" for model "Notes""}

I keep getting this when I am trying to run docker compose:
Error: /home/dvws-node/node_modules/bcrypt/lib/binding/bcrypt_lib.node: invalid ELF header
web_1 | at Object.Module._extensions..node (internal/modules/cjs/loader.js:807:18)
web_1 | at Module.load (internal/modules/cjs/loader.js:653:32)
web_1 | at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
web_1 | at Function.Module._load (internal/modules/cjs/loader.js:585:3)
web_1 | at Module.require (internal/modules/cjs/loader.js:692:17)
web_1 | at require (internal/modules/cjs/helpers.js:25:18)
web_1 | at Object. (/home/dvws-node/node_modules/bcrypt/bcrypt.js:6:16)
web_1 | at Module._compile (internal/modules/cjs/loader.js:778:30)
web_1 | at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
web_1 | at Module.load (internal/modules/cjs/loader.js:653:32)
web_1 | at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
web_1 | at Function.Module._load (internal/modules/cjs/loader.js:585:3)
web_1 | at Module.require (internal/modules/cjs/loader.js:692:17)
web_1 | at require (internal/modules/cjs/helpers.js:25:18)
web_1 | at Object. (/home/dvws-node/models/users.js:2:16)
web_1 | at Module._compile (internal/modules/cjs/loader.js:778:30)
web_1 | [nodemon] app crashed - waiting for file changes before starting...

Could you kindly suggest any fixes? Thank you..

Is there a docker image of this fully functional application? Thank you.

Please issue the installation process.please

I'm getting problems with this running on docker in the latest ubuntu server.

EDIT: Silly problem on my end, it's working now. Please close

In various places in controllers/notebook.js, if there is error, the server will try to respond with both the error and the value that is supposed to be sent when there is no error. For example:

https://github.com/snoopysecurity/dvws-node/blob/master/controllers/notebook.js#L52

This will result in error: "Error: Can't set headers after they are sent."
An "else" statement should be there to prevent such case.

I realize that this application include passphase api but it was not defined in Swaager.JS?

I can't find the configuration file of the graphql so I can make port number changes.

Hi,I get errors in the picture when I run this command,what is the reason ? thanks (libxmljs board)
npm install --build-from-source

Hi,

could you please check the horizontal access control below?
"If you know the note ID (e.g. 1-8) and the note name, it is possible to change the content of the note. As such it is possible for any user to change the note content of any user. "

It seems to me that the note id is now an alphanumeric string (non-guessable?):

PUT /api/v2/notes/62e7002d0a5aba0032093dc5 HTTP/1.1
Host: dvws.local
Content-Length: 29
Accept: application/json, text/plain, /
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjU5MzA4NTkzLCJleHAiOjE2NTk0ODEzOTMsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.sqGkIqO6EMfEe4j_snrmNgEE_XMt9gjCQQblro5zP5A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://dvws.local
Referer: http://dvws.local/notes.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{"name":"yo","body":"change"}

Could we please have an openAPI-spec.json file for the app? I've checked the expected location (/api-docs), but I couldn't find it there. Having the OpenAPI spec would greatly assist in brief explanation.

when I execute

sudo npm run dvws

I get

Error: Could not locate the bindings file. Tried:
{list of files starting with xmlgs.node}

and Final error:
Getting a [nodemon] app crashed - waiting for file changes before starting...

Hi,

I deployed the project in a Docker container and tried to attack the APIs using OWASP ZAP. With the OWASP ZAP's active scanner, the web container showed more than 700 Mongoose connection after few seconds:

After this, the web server didn't respond anymore.

dvws-node# docker-compose up`
Creating network "dvws-node_default" with the default driver
Pulling dvws-mongo (mongo:4.0.4)...
Pulling dvws-mysql (mysql:5.7)...
Building web

ERROR: Service 'web' failed to build: The command '/bin/sh -c npm install --build-from-source' returned a non-zero code: 137
4.0.4:: command not found
`

Any clue?

I can connect to dvws-local but after a bit I'm experiencing app crash:

root@kali:~/dvws-node# npm run dvws

[email protected] dvws /root/dvws-node
cross-env NODE_ENV=development nodemon index.js

[nodemon] 1.19.4
[nodemon] to restart at any time, enter rs
[nodemon] watching dir(s): .
[nodemon] watching extensions: js,mjs,json
[nodemon] starting node index.js
XML-RPC server listening on port 9090
API listening at :80, go to http://dvws.local (127.0.0.1)
(node:5771) DeprecationWarning: collection.ensureIndex is deprecated. Use createIndexes instead.
(Use node --trace-deprecation ... to show where the warning was created)
events.js:291
throw er; // Unhandled 'error' event
^
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Connection instance at:
at Connection._handleProtocolError (/root/dvws-node/node_modules/mysql/lib/Connection.js:423:8)
at Protocol.emit (events.js:314:20)
at Protocol._delegateError (/root/dvws-node/node_modules/mysql/lib/protocol/Protocol.js:398:10)
at Protocol.handleNetworkError (/root/dvws-node/node_modules/mysql/lib/protocol/Protocol.js:371:10)
at Connection._handleNetworkError (/root/dvws-node/node_modules/mysql/lib/Connection.js:418:18)
at Socket.emit (events.js:314:20)
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read',
fatal: true
}
[nodemon] app crashed - waiting for file changes before starting...

Thanks,

Hi Sam,

I'm excited to try this out but I'm running into issues getting the ball rolling.
I installed the dependencies and I'm running the two docker images as shown at the bottom but I get errors running the app.
I tried running the install and it failed so I used force as shown below.
As shown I'm running this on a kali box whish is debian.

rootkali npm install --build-from-source
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/mongoose
npm ERR! mongoose@"^5.10.15" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer mongoose@"^4.1.12" from [email protected]
npm ERR! node_modules/mongoose-auto-increment
npm ERR! mongoose-auto-increment@"^5.0.1" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /root/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-07-04T04_31_33_779Z-debug.log

++++++++++++++++++++++++++++++

rootkali npm install --build-from-source --force
npm WARN using --force Recommended protections disabled.
npm WARN ERESOLVE overriding peer dependency
npm WARN Found: [email protected]
npm WARN node_modules/mongoose
npm WARN mongoose@"^5.10.15" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer mongoose@"^4.1.12" from [email protected]
npm WARN node_modules/mongoose-auto-increment
npm WARN mongoose-auto-increment@"^5.0.1" from the root project
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0
npm WARN deprecated [email protected]: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated [email protected]: versions < v5.0.0 do not handle NUL in passwords properly
npm WARN deprecated [email protected]: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future

b11272852501 mysql:5.7 "docker-entrypoint.s…" 10 minutes ago
972e42e83657 mongo:4.0.4 "docker-entrypoint.s…" 12 minutes ago**

rootkali npm run dvws

[email protected] dvws
cross-env NODE_ENV=development nodemon index.js

[nodemon] 2.0.9
[nodemon] to restart at any time, enter rs
[nodemon] watching path(s): .
[nodemon] watching extensions: js,mjs,json
[nodemon] starting node index.js
/root/tools/dvws-node/node_modules/bindings/bindings.js:99
throw err
^

Error: Could not locate the bindings file. Tried:
→ /root/tools/dvws-node/node_modules/libxmljs/build/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/build/Debug/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/build/Release/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/out/Debug/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/Debug/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/out/Release/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/Release/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/build/default/xmljs.node
→ /root/tools/dvws-node/node_modules/libxmljs/compiled/12.21.0/linux/x64/xmljs.node
at bindings (/root/tools/dvws-node/node_modules/bindings/bindings.js:96:9)
at Object. (/root/tools/dvws-node/node_modules/libxmljs/lib/bindings.js:1:37)
at Module._compile (internal/modules/cjs/loader.js:999:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Module.require (internal/modules/cjs/loader.js:887:19)
at require (internal/modules/cjs/helpers.js:74:18)
at Object. (/root/tools/dvws-node/node_modules/libxmljs/index.js:4:16)
at Module._compile (internal/modules/cjs/loader.js:999:30) {
tries: [
'/root/tools/dvws-node/node_modules/libxmljs/build/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/build/Debug/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/build/Release/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/out/Debug/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/Debug/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/out/Release/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/Release/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/build/default/xmljs.node',
'/root/tools/dvws-node/node_modules/libxmljs/compiled/12.21.0/linux/x64/xmljs.node'
]
}
[nodemon] app crashed - waiting for file changes before starting...

After installation through docker-compose up, there is no GraphQL endpoint alive. In the solutions for GraphQL Arbitrary File Write, it says there is an GraphQL endpoint listening at port 4000, however, port 4000 is not even open.

Hi there,
I'm recently trying to do some research in api security.
And found this github.
Then successfully build it on my vm .
But I can't found out any vulnerabilities .
Can I get some clue for it ? Such as which api have what kind of vulnerabilities .
It'll be great if I can have some clues .

Thanks and best regret
p.s forgive my poor english .

I used docker for installation

This the bug :

Everytime I run one of the graphql queries I get the following error:

{
"errors": [
{
"message": "Missing JWT Admin Auth Token",
"locations": [
{
"line": 2,
"column": 3
}
],
"path": [
"updateUserUploadFile"
],
"extensions": {
"code": "INTERNAL_SERVER_ERROR",
"exception": {
"stacktrace": [
"Error: Missing JWT Admin Auth Token",
" at Object.updateUserUploadFile (/home/dvws-node/graphql/schema.js:121:17)",
" at field.resolve (/home/dvws-node/node_modules/apollo-server-core/dist/utils/schemaInstrumentation.js:56:26)",
" at executeField (/home/dvws-node/node_modules/graphql/execution/execute.js:481:20)",
" at /home/dvws-node/node_modules/graphql/execution/execute.js:377:22",
" at promiseReduce (/home/dvws-node/node_modules/graphql/jsutils/promiseReduce.js:23:9)",
" at executeFieldsSerially (/home/dvws-node/node_modules/graphql/execution/execute.js:373:43)",
" at executeOperation (/home/dvws-node/node_modules/graphql/execution/execute.js:347:14)",
" at execute (/home/dvws-node/node_modules/graphql/execution/execute.js:136:20)",
" at execute (/home/dvws-node/node_modules/apollo-server-core/dist/requestPipeline.js:205:48)",
" at processGraphQLRequest (/home/dvws-node/node_modules/apollo-server-core/dist/requestPipeline.js:148:34)",
" at processTicksAndRejections (node:internal/process/task_queues:96:5)",
" at async processHTTPRequest (/home/dvws-node/node_modules/apollo-server-core/dist/runHttpQuery.js:220:30)"
]
}
}
}
],
"data": {
"updateUserUploadFile": null
}
}

Query:
mutation {
updateUserUploadFile(filePath: "../../../../../../tmp/test.txt",fileContent:"foo")
{
filePath,
fileContent
}
}

I think there must be some way to add an admin token but I couldn't find it.

Expected Behavior

All routes are user authenticated.

Current Behavior

If the path of internal routes is known they are just accessible without verifying whether the user exists or not, in the MongoDB database.

How to ensure the routes are only available via registered users?