Love the fact you actually demonstrated these security concepts with code. Thank you! Also for the Broken Object Level Authorization example could we alternatively embed the shopId into the jwt token or cookie as a claim on login then the subsequent requests to the "revenue" endpoint can use this shopId to fetch revenue?
Theoretically yes, but that would become more cumbersome when I have more shops. The important idea is that you need to varify that only the shop owner can view the revenue. How you do it, it's up to you. Be creative.
I have been thinking about this more and more should I be encrypting the payload I always have ssl and all but most of the times im passing jason data.
Security is important, but who is sending id in the header? It is dumb. Token should be created and encrypted during login. Only token contains information for authentication and authorization
Thank you for such short and clear explanation, especially for practical examples
Very much practical and well explained.
Very practical, thank you.
Love the fact you actually demonstrated these security concepts with code. Thank you! Also for the Broken Object Level Authorization example could we alternatively embed the shopId into the jwt token or cookie as a claim on login then the subsequent requests to the "revenue" endpoint can use this shopId to fetch revenue?
Theoretically yes, but that would become more cumbersome when I have more shops. The important idea is that you need to varify that only the shop owner can view the revenue. How you do it, it's up to you. Be creative.
love it, simple and precise
Glad you liked it.
Great content, keep it up!
Thank you! I do my best to keep it up :)
Awesome video!
Glad you enjoyed it. Make sure to share it.
I have been thinking about this more and more should I be encrypting the payload I always have ssl and all but most of the times im passing jason data.
Maybe I'm missing something. The entire request is encrypted. Why also encrypting the payload?
Security is important, but who is sending id in the header? It is dumb. Token should be created and encrypted during login. Only token contains information for authentication and authorization