What are your thoughts on my application flow? Diagrams attached
Diagrams will be pasted below
Example API endpoint:
GET api/teams/4/warehouse/3/area/13
31 Replies
Conditional flow diagram ^
Proposed solution 1
What I don't like about this is how many parameters are passed around
Any suggestions on how I can mitigate this parameter passing, or is it good enough?
Another thing I can do is use middleware/filters to achieve this validation. Example:
It looks quite well done. How are you validating that a member is a
TeamMember?
@Lounder (Please @ on Reply) If it's done by accessing data from an access token. Make sure that it still applies. Since tokens are mostly static.I get the user ID from the token and make a DB query to check if the member is present in the team
I would be nice if you can avoid doing that everytime. Maybe by implementing some sort of caching mecanism.
But then a user could be removed from the team and he would still have access
@Lounder (Please @ on Reply) You could blacklist there token. Every token has a
issued at property. In theory, if a member is no longer part of an team. You can blacklist there id with a timestamp. During authorization, check if the user id is present in the cache. If so compare the issued at from the token against the timestamp from the cache. If the token was issued at after the timestamp mentioned in the cache. It means the token is newer.That's actually a really good idea
Awesome, thanks
or
I could blacklist their JIT
Just make sure you are using a distributed cache. You cannot rely on an in memory cache.
JTI*
@Lounder (Please @ on Reply) You don't want to do that. The token is very long. It will take unnessery space.
so you're saying I shouldn't store a JTI at all?
what is an JTI?
one sec
json token identifier
it is used for such situations - blacklisting or forcing the expiry of a token
it is a random string
What if the user is authenticated in multiple devices?
hm
All of a sudden you will need to store all jti.
By storing the user id. You will save space and it will make everything easier.
if userId is X and timestamp < Y, return unauthorized
is that what you mean
that should work
I just store it like this. {
"blkusr:userid", "datetime in utc"}
the first one is the key and the second one is the datetime in utc.Oh so you mean store
{"blkusr:userid", "datetime in utc"} in a non-memory cache.
Then have a middleware which checks if a token contains the given userId and timestamp is older than given datetime in utcExactly.
that's awesome
Thank you
No worries.
Also just one last point. If the cache service is not available don't allow by passing. Just a last barrier.
Technically, I could apply the same logic for all other checks right?
Such as isTeamOwner, isTeamMember, teamExists
when a team is deleted, I could blocklist all members' jwts
In theory, you could. But you will have to store information about the teams in the jwt.
Instead of blacklisting all members id. You can blacklist the team id.
That way you save space.
Oh wow, yeah
This will make it a bit complicated, but very performant
I'm debating if I should do it now or later after I have MVP
It would be a hassle to write, right?
it's really up to you. I would suggest doing some research on it first. If you do decide to go with that approach. Then implement it very early in the process.
Thanks for the help!
I really appreciate it
opened my eyes a bit
No worries. Glad to help.
Yeah I'm doing a similar thing. I took me weeks to create a solution.