ex.
Let's say I'm trying to create an eCommerce platform with multiple sellers and I create a Table called Orders
. The partition key will be storeID
and the sort key will be orderNumber
.
Stores can call API.get('Orders', {storeID})
, which will return all the items with the partition key of storeID
.
My application uses Amazon Cognito and each user is assigned a username which is a uuid. My question is can I use the uuid as the storeID
in my DynamoDB table? The key assumption is that attackers won't be able to guess the uuid.
CodePudding user response:
You should always validate access to resources server-side.
Not being able to guess a uuid isn't a safe assumption. Since you are using Amazon Cognito, there should be a way in your server code to get the logged-in user (the uuid). When you are making a query to DynamoDB, you shouldn't rely on a uuid passed by an HTTP query (client-side), but use instead the uuid value of the logged-in user.
The uuid could be used in a Global Secondary Index, so that you can quickly query the orders of a user.
CodePudding user response:
you can use UUID to store the same users data in dynamo as well. But make sure while fetching the details in dynamo what detail an API is actually needed like whether a store API should request only orders and not users so to differentiate those stuffs just add an attribute called "entity_type" which will have
- order
- user
- store
- other resources So while fetching add this entity_type as well one of the where condition to filter out rest of the unwanted stuffs.