Reputation: 65
How to prevent authenticated user from spoofing restful api calls
So I build a RESTful API. It has an /account/{id} endpoint to return user data. The API is secured via an identity server that issues the requester a JSON Web token (JWT) with access to the /account/{id} endpoint. The user sends a request with username and password and receives a JWT in return on successful authentication. Now the user sends a request for their account information to /account/{id}. The request is sent with a token in the header and returns a 200 response with the user data in the payload.
How would one go about authorizing the {id} in the endpoint? In other words, an authenticated user could just add any {id} in the endpoint and potentially receive another user's data. How is this prevented using the JWT?
Upvotes: 5
Views: 1080
Answers (1)
Reputation: 1185
You can store data in a web token. If you store the ID of the user, then you can identify them for each request they make. This is safe, because the contents of the token are signed with the private key of the server. Therefore their contents cannot be changed.
After that you can either limit the API so that each user can only query their own record, or you can also implement a complex role system, where each user has a set of roles (e.g. read-only, guest, maintainer, admin, client, etc.) that define which endpoints and how they can use.
Upvotes: 6
Related Questions
- Prevent API "spoofing" or "hacking"
- Securing a RESTful API
- How to secure an REST API without login
- How to prevent Rest web-service Authentication with stolen Token
- How to protect signup, login REST APIs from being called from anonymous source without using API Gateways?
- Protecting REST API behind SPA against data thiefs
- How to prevent API request source spoofing?
- RESTful API security
- How can I protect my API and know what is calling it?
- Blocking REST API calls