Home > Mobile >  How to secure Restful api from payload manipulation
How to secure Restful api from payload manipulation

Time:01-24

I would like to secure my rest api , i am already using JWT to authenticate users . but what if a user that have a JWT change the payload of a PUT request . for example i have a put request to update a post. and i need to pass post ID in the Body , how can i prevent users from changing the post id and sending it again in postman ? if he have a jwt he can execute the put api and change any post he wants . i thought about extracting the User Id from the JWT and check if the Post belongs to him or not . but i never seen some logic like that . does it exist like that ? to check if the object to update belongs to the JWT before updating it .

CodePudding user response:

Your reasoning is sound: it would be naïve to think that authenticated users won't act maliciously. In the server-side code that handles your PUT route, you should validate the payload and ensure that the authenticated user has the correct permissions/authority to perform the action in the payload before actually making the change on the user's behalf.

CodePudding user response:

Common practice is reading the resource before mutation. Then assert user's ID from decoded token with that resource's owner ID.

Page link:https//www.codepudding.com/Mobile/274725.html

Prev:Pandas groupby and sum according to an index date from two data frames
Next:Install poppler in AWS base python image for Lambda
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding