0

I use asp.net WebAPI to provide the service.But I found to explore the id of the entity(Resources identity ) is not a good idea.

eg. if you pass your UserProfile ID to get user's profile. because the id is auto incremented in DB, if someone iterates the Ids to get the others' profile, it will make the users' profiles to leak.(maybe you suggest to use GUID, But int type id has better performance)

So I want to encrypt the IDs with time in WebAPI filters. Is there a good demo for this?

Update: don't confused by User demo. If you have products. first you get the products list,then you will get product detail by product id . How to proect product id.

huoxudong125
  • 1,966
  • 2
  • 26
  • 42
  • 1
    Why do you want this? Doesn't your API have an authentication mechanism? – ProgrammingLlama Jun 29 '17 at 04:11
  • you can use OAuth Jwt authentication – NicoXiang Jun 29 '17 at 04:24
  • I allow client to access the ids by Anonymous not special users @john – huoxudong125 Jun 29 '17 at 05:19
  • What do you hope to achieve by using an encrypted id? I mean, it clearly isn't to restrict access to the resource. Unless you are hoping for security by obscurity, which is a bad route to go down anyway - security by obscurity isn't security. – ProgrammingLlama Jun 29 '17 at 05:22
  • @john I don't want to avoid someone to iterate the Ids.(not use GUID directly) – huoxudong125 Jun 29 '17 at 05:34
  • If you want to encrypt the ids, you could use the MachineKey class. – ProgrammingLlama Jun 29 '17 at 05:36
  • does it support load balances ? – huoxudong125 Jun 29 '17 at 05:42
  • @john The MachineKey is used to encrypt and secure the page’s ViewState. By default, the .NET framework uses that machine’s own MachineKey, but should your view state get sent to another content delivery server with a different key, well, then the ViewState will be invalid. That’s something of a problem. – huoxudong125 Jun 29 '17 at 05:43
  • You can share a key between machines, so that the encryption result will be the same on multiple machines. It's used for encrypting access tokens in asp.net :) See [here](https://stackoverflow.com/questions/3855666/adding-machinekey-to-web-config-on-web-farm-sites), specifically [this](https://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_webfarmdeploymentconsiderations). – ProgrammingLlama Jun 29 '17 at 05:43
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/147888/discussion-between-huoxudong125-and-john). – huoxudong125 Jun 29 '17 at 05:49

1 Answers1

1

You shouldn't hide the id's but you can control it with roles. Return resource with different amount of properties based on who's requesting.

If it's anonymous call, maybe don't return anything or return only data which is public and can be seen by anyone any way.

If it's logged in user, maybe he can see more data about other users.

If it's admin who is requesting that information, he can see even more data.

If the user is requesting information about himself, even more data.

Now maybe it would be better to have different endpoints for different level of access so that it's easier to define and document your api, for example for user to get his own information, it would be /user/me.

Erndob
  • 2,512
  • 20
  • 32