Multi-table authorization so only the allowed user is allowed to POST, GET.

CamB

Hi. I've created a giant app, and somewhere along the near-end I've realized that for authentication, I only authenticate the user. So if they have any of the id's, and any of the endpoints, bam - they can do anything.

To make it so the logged in user can only query data related to them, do I need to authenticate all my tables, or just use a precondition?

I'm assuming that the precondition would be easiest to implement:

If input: company =/= extras.company, then don't query. (Where extras.company is set when the auth token is being created).

What would it look like for authenticating the tables? What would be the use-case for that?

Thanks so much!

Michael Udinski

Hey @CamB - you wouldn't want to enable authentication on your tables but rather on your API endpoints. The vast majority of applications will authenticate their API endpoints against 1 table (users). Using a precondition is the right path for enforcing something to be true in your function stack in order to execute something. I'm glad you found extras as one method of including extra data in the authentication token. You can also always use the auth ID found in the token to get data from a table when it makes sense.