I would like to ask if its okay to have dynamic route in my react app like this www.siteurl/orders/:id
The user gets redirected to his order with his order id, which then fetch his data from db, the reason behind this is to enable order tracking and possibility to share the order with whoever the customer wants.
Can this be exploited by someone who shouldnt have access?
Asked
Active
Viewed 71 times
1
Lukáš Brýla
- 680
- 6
- 6
2 Answers
1
Yes, this type of routing design in back-end can be exploited by someone else. Right routing design for user specific informations should be like this:
GET Routes:
www.siteurl/orders/users/:uid : GET orders of specific userPATCH Routes:
www.siteurl/orders/:oid : Change order information
Important note! Both routes have to be protected by authentication. So only user can get the id of his orders and can make changes on these.
Abdullah Deliogullari
- 181
- 1
- 6
1
Just make sure the order itself doesn't contain any sensitive user information, and you're good to go.
In general, that's a frequently asked question: should we expose ids in URLs, and in most cases, there is no harm in it. That's just a field from DB, and in theory, for someone to exploit it they would need access to your DB, and if they have access to your DB, you've got a bigger problem then URL.
n3nad
- 101
- 1
- 4