I've been searching how to make a public http request secure and all the answers are to use a token like JWT.
But from what I understand, the reason for using this token. Isn't this to prevent someone from trying to modify someone else's data other than your own?
Then user can still manipulate his own data using his own tokens. Because when you first connect to the app, you will get a token from the server.
That person can modify his or her data at any time. Wouldn't he be able to modify the game points he has at any time? (I actually saw an answer in another answer (which said to make that http call only available once after the game is over))
but if he knows the jwt token and http request url then he still can modify right??
Are JWT tokens used in the worst case to keep someone else's data from being touched?
More explanation is here.
If I want to change the nickname of StackOverFlow, then the Stackoverflow server will check whether the token in the header I sent and the token stored in the database match.
But suddenly I want to raise my stack overflow score. Then just checking the token is not enough for server I guess. right? How do you prevent in this case?
I don't know what the POST URL that raises the stack overflow point score is, but if a hacker knows the POST URL that raises the score of a user on Stack Overflow, and knows the token, is it manipulative enough?
CodePudding user response:
The JWT token is just used identify the user making API request and checking whether the user is authorized to make that request. When you decode a JWT (Firebase Auth's JWT for this example), you can read user's UID and custom claims, etc.
Passing user ID directly in API requests is not a good idea because they are usually public (e.g. your Stackoverflow ID is 18516895) and easy to guess. So I can just try passing some random numbers/string and might be able to make requests on behalf of someone else. So JWTs are mostly used for Authorization and Information Exchange.
Also checkout: Introduction to JSON Web Tokens
But suddenly I want to raise my stack overflow score. Then just checking the token is not enough for server I guess. right? How do you prevent in this case?
Allowing users to update their score doesn't seem to be a good idea. Instead the score should be done totally on back-end and can be triggered by any action such as user winning the game.
Take Stackoverflow for example, only the person who has asked the question can mark any of the answers as accepted. This is authorization. No one else is allowed to do so. After an answer is accepted, the system updated answerer's score (reputation), so there is no API request that is made from client side to increase score.
The flow could be like:
- Questioner accepts an answer
- Verify JWT, marked as accepted if owner of question
- Increase score (reputation) of answerer
Adding to another case of single player game Tetris where the user directly needs to update server for a win and earn points as discussed in comments, it might be best to send every move to server and run all game win logic on backend instead of checking for win on client and letting users hit a /win API over and over again. If the game is completed, then credit points to user if won.