Skip to content
This repository has been archived by the owner on May 23, 2019. It is now read-only.

Leverage MCA server SDK to secure backend endpoints. #15

Closed
rolivieri opened this issue Apr 14, 2016 · 6 comments
Closed

Leverage MCA server SDK to secure backend endpoints. #15

rolivieri opened this issue Apr 14, 2016 · 6 comments
Assignees
@tfrank64
Milestone
0.4

Comments

@rolivieri
Copy link
Collaborator

rolivieri commented Apr 14, 2016
edited

Secure only the following endpoints using the new MCA SDK for the server:

  • get("/users/:userId")
  • get("/users")
  • post("/users/:userId/images/:fileName/:caption/:width/:height/:latitude/:longitude/:location")
  • post("/users")

Please note that securing the /users/:userId/images/:fileName/:caption/:width/:height/:latitude/:longitude/:location POST endpoint implies that:

  • The userId (Facebook ID) is retrieved from the MCA server SDK.
  • Simple logic should then be implemented to validate that the userId request parameter in the URL matches the Facebook ID retrieved through the MCA SDK on the server. If they don't match, then we throw an error (user is not authorized). For the other endpoints listed above, we don't need to perform this validation.
@rolivieri rolivieri added this to the 0.4 milestone Apr 14, 2016
@rolivieri rolivieri modified the milestones: 0.3, 0.4 May 5, 2016
@rolivieri
Copy link
Collaborator Author

Here's an update from Anton: "I’ve also confirmed that MCA will give you facebook userId at the server side. No need to do anything. see the sample code here - https://github.com/ibm-bluemix-mobile-services/bms-mca-kitura-credentials-plugin. You can do authContext.userIdentity.id, it will hold fb user id."

@rolivieri rolivieri assigned tfrank64 and unassigned tfrank64 May 13, 2016
@tfrank64
Copy link
Member

Currently blocked by this error, communicating with @AntonAleksandrov on a soultion
image

@aal80
Copy link

aal80 commented May 13, 2016

@tfrank64 I've updated the package. Please try with v0.1.1

@tfrank64
Copy link
Member

@AntonAleksandrov seems to have fixed the issue. thanks!

@tfrank64
Copy link
Member

Last test to confirm is post("/users/:userId/images/:fileName/:caption/:width/:height/:latitude/:longitude/:location")

Denies request as expected when passing no auth token. Still need to test in iOS app.

tfrank64 added a commit that referenced this issue May 17, 2016
@tfrank64
#15 mostly done, still haven't properly tested the securing of postin…
4070332 
…g an image endpoint
@rolivieri
Copy link
Collaborator Author

Unfortunately, this issue has to be moved to the next milestone. We are currently blocked by this issue: Kitura/Kitura#487.

@rolivieri rolivieri modified the milestones: 0.4, 0.3 May 20, 2016
tfrank64 added a commit that referenced this issue May 25, 2016
@tfrank64
uncommented user verification for posting images, MCA is securing all…
7d47a5f 
… end points for #15
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tfrank64 tfrank64

Labels
None yet
Projects
None yet
Milestone
0.4
Development

No branches or pull requests
3 participants
@aal80 @tfrank64 @rolivieri