'API: How to secure access from non-related users?
I am developing a REST API. In my mobile application we have multiple user roles, they all use the same API. Think the roles are like customer, supplier, and admin. The API is using tokens, making sure everyone need to be logged in and should send the token to the API.
However, if someone has the token somehow, he can easily any information belong to any user. For an example, using the token of customer A, we can view the information of customer B, C` and so on.
Not only that, we can also access the API calls dedicated for the admins using the above mentioned token.
this is what I thought of doing.
Send the user ID with every request. Also embed the user ID into the token. In the server, before any method is accessed, check whether the user id in request and token are the same.
FYI I am using Firebase authentication and tokens, then use AWS API Gateway to authenticate the access to the API. The user Id I was referring to is in database.
How do you think I can overcome this issue and secure the API?
amazon-web-servicesSolution 1:[1]
As long as you make sure to pass the tokens only over secured connections, interception of that token is not very likely. If you then use short-lived tokens (such as Firebase's ID tokens), even when a token does get intercepted it can only be used for a short amount of time.
If a token does get intercepted, you can revoke the token, as shown in the Firebase documentation on managing user sessions.
And finally, you can consider implementing App Check for an additional layer of protection, and check that token too in your own backend.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Frank van Puffelen |