0

Given a Multi-Tenant database, if I were to create a website with any of the popular JS-based UI platforms (ie: Angular, Vue, etc), and assuming both the site and the API are using HTTPS, is it safe to pass Tenant ID's as QS parameters to the API?

To explain more, let's say we have a table in the DB called Customer and it has a primary key column called CustomerId which is an auto-incrementing integer. There will be some API endpoints (well, most, actually) that need the CustomerId as a parameter.

What I'm not sure about (still new to JS-based UI platforms) is if I need to be concerned about this CustomerId being easily spoofed. For example:

"If MY customer ID is 32891, then let's see what happens if I make the same API call using 32892 instead!"

If both the site and the API are HTTPS, is this a concern? Or, should I also give every customer a GUID and use that in the API parameters instead?

(To be clear, I'm not asking about query strings parameters that are clearly visible in the browser address bar. I'm asking about GET calls to the API where these ID's are passed as a query strings parameter. Also... the API itself is secured using JWT to prevent unauthorized calls. And not that it matters but the API is built using C# in .NET 5.0)

Casey Crookston
  • 13,016
  • 24
  • 107
  • 193
  • In addition to your JWT authentication, you need to implement authorization. Get the authenticated user for each request, and verify that s/he is authorized to access the resource they are trying to access. This authorization needs to be implemented server-side. Your user can view and change the customer ID you are passing as a query param. Simply using a guid is not a secure solution. – srk Apr 13 '21 at 18:10
  • @srk, ok thanks. I assume you mean just standard (ie: forms) auth on the website itself. Like... make sure the user is logged in. Correct? – Casey Crookston Apr 13 '21 at 18:12
  • That's authentication. You also need authorization to prevent a user from accessing data they should not have access to. See [Authentication versus Authorization](https://stackoverflow.com/q/6556522). – srk Apr 13 '21 at 18:15
  • What is the relationship between the user (authenticated by JWT) and the CustomerId? I.e. does each user map to exactly one CustomerId? Or can each user possibly have access to more than one CustomerId? – srk Apr 13 '21 at 18:19
  • @srk, one customer can have many users. But any given user can only have one parent customer. I want to be sure that a user only passes to the API the CustomerID for which they are a child. – Casey Crookston Apr 13 '21 at 18:20
  • @srk, to be more clear: In this case, a "customer" is a large organization that has many people working for it. The organization leases the cloud-based SAAS software for their own use and can have many users under their account. – Casey Crookston Apr 13 '21 at 18:22
  • 1
    OK in that case I would go with @nzhul's suggestion: don't pass CustomerId as a query param. Instead, add the CustomerId to the JWT or look it up based on the user id (also from the JWT). – srk Apr 13 '21 at 18:24

1 Answers1

4

I would suggest the customerId to be part of the JWT payload (search for jwt claims and how to add custom ones when generating a token). This way you will be sure that it it is not modified by malicious user.

You can still pass it as query parameter if you want, but you have the option to do a validation, by comparing the query value with the value in the JWT.

Don't trust the users. If they can change they customerId and manipulate the request, that is a security issue.

Another option is to not pass the customerId at all, but instead after authorizing the user to do a database call and see what is his customerId. I personally would prefer the first option, because you won't have to do additional database call.

Dobromir Ivanov
  • 313
  • 4
  • 12