2

As I'm a newbie, my question might be really simple. I googled but didn't find a convincing answer to my question. Working on developing REST API, the purpose of the API is to create a Team of players from existing students. POST method, As of now the request body will hold the student ID (primary key) in the Request Body.

Can the request body contain Tables primary key while accessing a REST API?

Harish
  • 112
  • 2
  • 14
  • 1
    It can. But maybe it would be a good idea to not leak internal IDs over the REST API. Use a stable identifier instead. –  May 05 '18 at 13:07
  • 1
    @LutzHorn Does stable identifier is like a unique identifier (varchar) to a student? – Harish May 05 '18 at 13:14
  • 1
    Something like this. A username, a UUID, ... Anything that that will not change and that is not the internal, autogenerated ID of the DB table. –  May 05 '18 at 13:16
  • Got it, Thank you. – Harish May 05 '18 at 13:16

2 Answers2

3

You can use an encrypter to encrypt the Id or primary key and then decrypt it when receiving at the server end. This will save the Vulnerability issues also as you will validate The Ids at server side hence malicious issue cant be saved when passed in POST request for Id.

I will repost the whole answer again but just to add an overview 

@JsonIgnore
private Long PrimaryKey;
private String Id;
//Other variables
public Long getDecryptedPrimaryKey(){
  //Decryption Logic for Id value
}

Public String getId(){
 //Encryption Logic
}

here while when JSON Serialiser get the Id it will call the getter for Id which will automatically get encrypted while when u Save or update the data u can call the getDecryptedPrimaryKey to get the actual value.

Amit Kumar Lal
  • 5,537
  • 3
  • 19
  • 37
  • Does this increase the overhead while processing the request body? – Harish May 05 '18 at 13:31
  • This solution is more useful when you don't want to change any constraints on existing DB or is working on a legacy system and u frequently needs Id in POST/PUT request – Amit Kumar Lal May 05 '18 at 13:31
  • @Harish NO it wont as the encryption hardly takes some time and u can integrate this with ur JSON parser at server side. Let me know in case u need more help with this. I have implemented the same in legacy applications. – Amit Kumar Lal May 05 '18 at 13:33
  • Yes please help me with this kind of implementation in detail. – Harish May 05 '18 at 13:37
  • @Harish I have updated the overview for the same .. will Update the whole logic in some time. But hope it may have made the things clearer to you. – Amit Kumar Lal May 05 '18 at 14:01
  • Thank you for the explanation, I hope this might solve my issue. Will try this and will keed the post updated – Harish May 05 '18 at 17:40
2

Yes it can. But it is not the best practice to expose DB ids to the client. You will probably have to identify players by unique username or email.

Patrik Bego
  • 4,009
  • 1
  • 26
  • 24
  • 1
    Yes, I agree. Also, can you help me with any good reference online which explains best practices especially on request body? – Harish May 05 '18 at 13:26
  • If you are using spring and angular here is a simple example:https://stackoverflow.com/questions/28039709/what-is-difference-between-requestbody-and-requestparam/32980438#32980438 – Patrik Bego May 05 '18 at 13:31