Generate secure shareable URL for access to web app (NodeJS)

Question

I am building an application in NodeJS + Express where teams can share information with one and other and chat (kind of like an internal messaging forum).

Sometimes there is a need for the team's clients to view and edit some of this stored information on a case by case basis (e.g. a client asks a question and wants to message back and forth with the team, using my app). I don't want the client to have to sign up for an account in this case.

I am thus wondering what is the most secure strategy for generating a URL where anyone with the URL can view and edit a document/POST data to my app within the confines of a single document, without signing in?

(I've seen a couple of posts on this topic but they're quite old and don't focus on this specific case.)

Answer 1

First of all, I can absolutely understand the benefits, but still it is not an optimal idea. However, I would like to summarize some thoughts and recommendations that will help you with the development:

• A link like this should not be able to perform critical actions or read highly sensitive data.
• Access should be unique and short-lived. For example, the customer could enter his e-mail address or mobile phone number and receive an access code.
• If you generate random URLs, they should be generated in a secure random manner (e.g. uuid provides a way to create cryptographically-strong random values).

If I had to design this I would provide as little functionality as possible. Also, the administrator would have to enter a trusted email address and/or mobile phone number when releasing the document. The URL with a UUIDv4 is then sent to this channel and when the customer clicks on the link, he gets a short-lived access code on a separate channel if possible (on the same channel if only one was configured). This way you prevent the danger of an unauthorized person accessing the document in case a customer forwards the original URL out of stupidity.