2

I am currently using Token based authorization via OWIN to keep my APIs from being exposed to everybody. However, there is a flaw attached to this method. Once a user gets a token, he can access any API across my website and get the response for any parameters posted; which is dangerous in my case.

Right now, I need to give API access to my mobile application but I want to strengthen the security of my APIs in such a way that the requests are filtered based on user access.

Use case: I generate a token when the user logs in and will append it with each request to the API. It works absolutely fine but... the generated token can be used to fetch the details of any other user.

What I want to achieve: I want to prevent the above case from happening. I want to filter the illegal requests/responses to/from API.

How do I go about it? How do mobile apps generally restrict users from accessing their API. I am very interested to know about it. Please guide me.

Ravi Kiran
  • 565
  • 1
  • 8
  • 22

1 Answers1

3

What you have implemented till now is only authentication part, it is not going to help you much for securing your website, to implement security in proper way you need to do proper authorization also.

For this you need to implement following things.

RBAC - Role Based Access Control in your web api actions, by this you can achieved using the default Authorize filter provided by the framework.

For example 

[Authorize(Roles = "Administrator")]
public void DoSomething()
{
}

If you are using OWIN, you can set the roles in GrantResourceOwnerCredentials method like following

identity.AddClaim(new Claim(ClaimTypes.Role, "Administrator"));

Data Level Security: This is very important, as people belonging to same role can access only a set of data, to implement this type of security, the best place is your database. You can implement Row Level Security/Cell Level Security in your database, or you can restrict the access of data based on logged in user from your database directly.

Implementing Data Level Security is not straight forward as it is driven through your business requirements (Who can access what). Out of the box no framework will be able to give you complete solution, you need to implement rules by yourself only.

Apart from above two points, you can also consider looking Cross-Site Request Forgery (CSRF) and Data integrity between server and client.

PSK
  • 17,547
  • 5
  • 32
  • 43