skip to Main Content

I have a GET call to a document management system to get a document based on its document UniqueID. The URL looks like this: www.url.com/getdocument?uniqueid=“**12345**”
Since the uniqueid is visible in the users browser, users can navigate through other documents by randomly trying different uniqueids.
I’m looking to replace the value of the uniqueid with a variable that can be used as part of the URL.

I thought about storing the uniqueid value in a variable and using it in the URL. I’m just not sure how this should be done -high level design prescriptive-

3

Answers


  1. First of all, if you don’t want users to randomly view documents, you need to implement a proper authorization on the backend, so that even if users try a random (but correct) unique ID, the API rejects the request with 403.

    Second, if you want anyone with a valid URL to be able to access the documents without being authorized, but still don’t want them to guess the unique IDs, you may want to add a new public-facing field in the DB and let them use it in the URL instead of the actual uniqueID value in the DB.

    In any case, the changes you need to make should be done on the backend because there’s no way to "hide" query parameters from the user if you want them to open it with a link on the browser, i.e. let them use a GET request.

    Login or Signup to reply.
  2. Good going Allen, the scenario currently you have is an open question for discussion and can have multiple solutions to implement.

    You are right on the part where users can experiment with ids to get your data of users ideally he/she shouldn’t access.

    One way to curb this is, your ID it’s not the actual id of let’s say database or sort. you can use temp ids (tokens) which then internally maps to actuals ids of the system/db.

    This will solve a few issues for you. And now to make sure that you hand out these tokens to authorized users you need to implement an access control layer.

    As I mentioned this is an open topic for discussion I hope my answer serves you a good starting point to work upon.

    Login or Signup to reply.
  3. A good option is to use UUIDs.They can be used to uniquely identify a resource. They are unique universally and use 128 bits to store the information.

    They look something like:

    cc26d321-58fc-4cc1-978a-03f2bbdb2a55
    

    Just add a column of type UUID in your document entity and use it as the unique identifier.

    It will solve your problem as well because it will be difficult to guess the next uuid in comparison to the integer numbers.

    Moreover, you might consider authenticating the request as well if you do not want unauthorised users to access the resources.

    More details here: https://docs.oracle.com/javase/8/docs/api/java/util/UUID.html

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search