I am using the below API to get user tokens from the BL backend. However, I have a concern about the security of this process. If someone were to gain access to the objectId of a user (which doesn’t change), they could use an external tool like Postman to query the URL and obtain the user token for that user. This would give them access to everything that the user has access to.
Is there a way to secure this process and prevent unauthorized access? I would appreciate any suggestions or recommendations you may have.
https://xxxx.backendless.app/api/services/xxx_login_user/xxx_login
{
“body”: “xxxxxxxxxxxxxxxxxxx”
}
Hello @LetMeTest,
This is your custom method, am I right?
On which side is the request sent to this method? From the client side, whose tokens need to be obtained using this method? If so, the best way to protect this route from attempts to spoof user IDs is to check inside the route on behalf of who the request was made. Inside the method, you can get the current user and, if its objectId does not match the one passed in the parameters, end the request with an error about an illegal access attempt. Or even better not to pass the objectId in the parameters, but to receive it immediately using the current user token (getting the current user inside the method). Thus, it will not even be necessary to validate who sent the request, they will not be able to receive other people’s tokens.
Regards,
Stanislaw