2
devNaut
4y

Work! Terribile doubt about our project 😭i will leave this company if we do not come up with an adult solution 😔

We are working for another Company, they asked to add a web app to their project.

We made frontend and backend, we make user auth to their api, then call their api (place order, get orders etc), passing their auth token to their services.

Which Means that our endpoints are not really protected (i think) and if we add an endpoint that does not use their api, the only way to secure them Is to take the token, validate It by calling for example get /order of the api and if It fails just discard the request....too slow?

my colleagues do not want to put a serious auth they Just want to use the company api and leave the rest open...

And the customer Just asked to use some other api functionality, but that api has another auth... How do we pur them togheter? The last api want the id of the user to do machine ti machine auth

It Is my 6th month here no one thaught me anything, i think i'll Just leave ..or am i Just experiencing the developer Daily work?😔

Comments
  • 1
    How can you not have auth protection for your APIs? Are they returning "Hello, World!" or whay?
  • 1
    @asgs basically out endpoints are Just calling their endpoints, we offload the client by doing some lil elaboration on responses,...

    Other endpoints are, for example, a send mail endpoint, which has nothing to do whith the third party thing.

    Since the bearer is released by the third party, the only way of protecting the mail endpoint Is to do a check by calling GET /orders of third party api and check It fails or not...

    Otherwise we Need to create our own auth system, i hope so, but then we Need to ask the user to login with our account, then whit the third party account so we can call the api, and then ask the user for their id of the other api they want to include.

    Another solution Will Be maybe, to have a database where we map our account with their api accounts and then map to the id of the other service....
    But since they are the ones controlling accounts and visibility they should be writing all changes to our db...

    I'm seriously loosing trak of their thoughts...
  • 1
    @devNaut I believe your system should have its own auth mechanism. Otherwise, if I happen to know your endpoints, I can hit them which will in turn hit your client's equivalents returning all the information they can

    This looks like a security breach. You should talk to them and figure out what they want
  • 0
    @asgs since they control the auth, how do i achieve that dude?
  • 0
    @devNaut honestly, I don't know what your system is laid out like. It is better to raise this concern with them and find out how they feel that your endpoints are not protected
  • 0
    Yes @asgs and i will report the beach to them, thanks
    ^.^' but
    my sensation Is that they do not know how to behave or develope....

    since they decided to have an api with user authentication, their users, and then to have us to make a new frontend which parte one: only used their api, part two: wants to call a third service, which is a public one with its authentication..

    If they do not share their authentication system in some way to use It like an identity provider or so,

    i'm Just gonna usa a filter on top of any endpoint which will actually call some of their endpoints and check of Is a 200 or 401, yay faith in IT Is gone for now 🙈😆 two companies and multiple developers involved and still this Is the status
  • 0
    Isn't an identity token supposed to be a signed thing that you can validate in place if you know the pubkey?
Add Comment