feat: validate API responses #333
Conversation
wpf500
force-pushed
the
feat/917-response-validation
branch
from
535ae81 to
cbab324
Compare
|
@JumpLink what is that question? 😄 |
|
@wpf500 Sorry, here is the question: Any API key has admin and superadmin roles in get activeRoles(): RoleType[] {
return ["admin", "superadmin"];
}As far as I understand, admins can create ApiKey's. Does this mean that in this way an admin can get SuperAdmin rights this way? So for example the ApiKey would have superadmin roles and could also change the roles of the user who created the api key. Is that the case or have I overlooked something? |
|
Ah yeah I just found your question in my GitHub notifications, will also reply here :). That's a good point and I'll downgrade API keys to admin. In practice the API only uses admin privileges at the moment anyway but definitely good to fix this now 👍 |
|
Actually that makes me think that a much cleaner way of implementing this is just to make creating API keys for superadmins only, that way it doesn't need to do some arbitrary check of what the authentication source is. And it would also help prevent normal admins from accidentally creating API keys (or being tricked into it) |
|
@wpf500 Another solution would be to also give API keys different roles. In this way, a user could create an API key that does not have admin rights (in the case that [selected] users should also be able to do this in the future) and an admin can only create API keys that have maximum admin rights etc. But that would probably be a lot more work and might be something for the Backlog. |
|
Or an APIKey is linked to the user and simply always has the same rights as the linked user. But if an API key can also be deliberately restricted, this could be useful in some cases |
Adds validation to the API responses to ensure we aren't accidentally sending back data that the user doesn't have access to.
This is implemented with an interceptor and validation using class-validator. It optionally allows properties to be marked as admin only.
Todo