Comments (10)
It could be useful for us to think about the business requirements around permissions and user groups.
Here are some initial thoughts:
- some kind of authentication required for an access to API
- some users only have some verbs on API (
GET
), others have more. - some users only have some verbs on API for some tables
I wonder if there are any online sources with best practices for securing REST APIs?
from soul.
I've just thought of another approach to security. We could introduce a property whereby the API is only available to be called from a Soul Extension
. So, users can create a static front-end-only site, host it as an extension
, and the REST API is only available from that static site.
In this mode, Soul
would not expose any REST routes
at all.
That seems pretty bomb-proof :-)
What do you think, @AbegaM ?
from soul.
I've just thought of another approach to security. We could introduce a property whereby the API is only available to be called from a
Soul Extension
. So, users can create a static front-end-only site, host it as anextension
, and the REST API is only available from that static site.In this mode,
Soul
would not expose any RESTroutes
at all.That seems pretty bomb-proof :-)
What do you think, @AbegaM ?
FYI @thevahidal , @AbegaM and I are going to try to progress the above in coming weeks. We'll be sure to share design thoughts/plans before we start writing code.
from soul.
We can look for any good practices but there are two things that we must consider, Authentication
(Which basically means if the user has access), and Authorization
(Which means the level of access that the user has).
I think the something like PocketBase implemented it is really neat, maybe we can adopt their way of doing it.
from soul.
For old-skool web-applications, the hard work was done on the server, including making calls to other backend systems. CORS protection is valid in this context, since we can say Soul should only accept requests from the local server:
But, with modern single-page applications, it's code in the user's browser that is making the REST call. This means we have to open CORS for all addresses:
Sorry if I'm mistaken in the above @thevahidal , but it does seem that for modern SPAs we can only protect Soul in production via authentication and authorisation.
from soul.
Hello @thevahidal - if you're able to put any more high-level thoughts into here, we'll try to move forward on the further detail, and subsequent implementation.
from soul.
For the CORS thing we only have to tell Soul to trust the frontend web apps origin, so the browsers can't complain about it. But you're right that for true protection we need authentication and authorization.
But as you know it's a heavy feature and we need a good design for it.
from soul.
Here is the approach taken to auth in a similar app (PostGrest
) - but it pushes most responsibilities to the database, but we don't have role-based table access in SQLite.
from soul.
@IanMayo That seems like a great idea. I will see how we can make the API only accessible from Soul.
from soul.
@IanMayo That's awesome, man. I can't wait to see your designs!
from soul.
Related Issues (20)
- Filtering by `id` is using wildcard search. HOT 1
- Publish `View` via API HOT 2
- Filter param in /api/tables/{name}/rows is not filtering properly
- Add support for filter operators HOT 12
- Regression Testing of REST API HOT 5
- Incorrect URLs for `next`/`previous` URLs
- Soul keeps crashing when invalid key is passed to the `_extend` field HOT 2
- Introduce `_like` filter HOT 1
- Hosted instance of Soul (playground) HOT 2
- Unexpected Empty Commas in Resulting String for Null Values HOT 1
- Enhance API to Support Multiple IDs in a Single Filter Parameter
- REST API transactions within TRANSACTION
- Bug in __gte for string filters
- Secure soul installation HOT 10
- Syntax Error on starting soul HOT 2
- Unable to pass 'CORS_ORIGIN_WHITELIST' environment variable to Soul CLI for CORS configuration HOT 3
- Soul not reading the `-c *` command in the CLI
- [BUG] Soul Studio wont load properly just because there's 0 tables in database
- Question: does soul support string identifiers HOT 6
- Separate Soul Core and Studio Repositories HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from soul.