Should I manually set user session when receiving messages?

Question

I have resources that are protected per user. The user themselves are able to edit it, and then some super users are also able to edit it, but other users are not able to.

When it comes to endpoints, I have a user sessions and I can check their permissions to see if they are able to edit the resource or not.

However, when it comes to events/messages the service receives, there is no user sessions involved. So it is not able to edit those resources.

I know that the messages that we receive are safe (Only originate from our own systems), so I'm planning on manually setting the user session myself for all events/messages with a system user account.

I could also split the method to be something like updateResource and updateResourceNoPermissionCheck, but I'd rather not give the ability for anyone (including other developers) the ability to call the wrong method when they weren't supposed to.

Was wondering people's thoughts. Thanks in advance!

Answer 1

Yes, it's quite normal. I've seen cases when developers pass along the token via message headers, but I don't find it necessary. Providing enough user context information in the message contract establishes solid guarantees for the message receiver about who the user is. It is abnormal when your internal messaging system is exposed externally, which, of course, would create security risks as you cannot trust the sender.