Backendless Support
 
Answered

App ID and Rest API Key are exposed on email(upon registration, reset password)

When a user registers(with registration and email confirmation enabled), he'll receive the following link:

https://api.backendless.com/{app_id}/{rest_api_key}/users/confirmation/{user_object_id}

Isn't this dangerous? Considering that all permissions, on default, are allowed for the rest user? One user may use the app id and rest key to bulk delete a table, if he predicted a table name, easily since the app id and rest key are exposed.

Leave a Comment

Comments (4)

photo
1

PS: He doesn't even need to guess a table name. I tried the following and all the data are deleted from the users table:

curl -X DELETE \'https://api.backendless.com/{app_id from email}/{rest_key from email}/data/bulk/Users'

photo
1

Hello!

API key is not secret. Data should protected by configurating the permissions.

Regards, Olga

photo
1

Thank you for replying. Yes, that is one way, but currently I'm using the rest api user to delete some data, which means I should leave the permission to ON. Do you have any suggestions regarding this?

photo
1

You can create the user named "admin" and give him the permission to delete data if he is logged in.

Regards, Olga

photo