{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 姐就是有狂的资本 的问题《How to Limit REST API to User-Specific Content》','https://www.manongdao.com/q-1288947.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a fairly simple API setup on a MEAN stack using PassportJS. I have no problems setting up my routes with no security (grabbing general data) and with user authentication (secure information). However, I cannot seem to find a best practices for granted user-based access.
For example: /api/users/:id is a route that requires authentication. So you can never get user information without an access token.
However, once I have a token, I can simply send that with a request and someone ELSE's id to access their content instead of their own. Albeit, the id's are long messy things, if someone where to get a person's ID from the system, they only need their own password to access that data.
I considered saving the token in a new collection called sessions and doing additional verification to match the token/userId combo. But I don't know if that's the best practice.
Does Passport handle that auto-magically and I missed that part?
Thanks, Wayne
You already have authentication put in place, so what you now need to implement is authorization.
(source: Auth0 Identity Glossary)
If your authentication system is designed correctly the access token presented in order to be granted initial access to
/api/users/:idendpoint will allow you to know which user is calling your application so now what you need to do is implement the business rules that dictate which data can the user access on each individual endpoint.For the
/api/users/:idcase, if you want users to only be allowed to access their own data, the rule might be as simple as checking that the user identifier requested on the API route matches the user identifier associated with the access token. Given that the access token needs to be implemented in such way that it cannot be tampered, you guarantee that only the correct user is granted access to the data.It seems that you are missing an api check on the userId
for e.g. you have a route like
/api/:userId/data/:dataIdand you would like to ensure that only users who are allowed to access this data item can do so. Then what you would need to do is check that theuserIdprovided in your authentication token is the same as theuserIdin the api route!