You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2020-05-25 10:50:52
- Horbs
- Member
- Registered: 2014-04-20
- Posts: 23
Security and Client use of TSQLRecord User ID's
I have a public facing mORMot Interface based Server running TSQLRestServerAuthenticationDefault with a SQLite database, accessed by a JavaScript Client.
The OneToMany database structure uses the TSQLUser TID as the table identifier for the "Customer" (top most) table (which derives it's primary key from TSQLAuthUser), which is propagated to some detail tables as the foreign key. And the authenticated User should only have access to those records that match (directly or via a foreign key) the TSQLUser TID hierarchy.
Because of the ASYNC nature of the architecture, it means that I have to pass the TSQLUserID to the client, and persist it there, for further Detail Table reads and updates (different Interface requests).
I'm thinking this may pose something of a security risk. I only want the authenticated user to have access to the records they own (via the relational hierarchy).
Am I being paranoid (I don't have a lot of in depth experience with this architecture).
If not being paranoid, is there some way I can create persistent Session Variables (Parameters) SERVER SIDE to hold the primary and surrogate keys and populate them at run time for each Service request for the authenticated user session? (I've looked at ServiceContext, but it may be expensive to access that for each CRUD operation, may not be easily implementable for all surrogate keys, and could get messy).
Any thoughts or suggestions would be VERY welcome.
Maybe I'm just getting dumber (too long in lockdown).
Thanks All
Horbs
Offline
#2 2020-05-29 08:57:07
- pvn0
- Member
- From: Slovenia
- Registered: 2018-02-12
- Posts: 211
Re: Security and Client use of TSQLRecord User ID's
I would not use the default auth for a public facing server especially if you have web clients, really JWT tokens is the proper way and it seems like that's what you're looking for.
Offline
Pages: 1