How to encrypt or Obfuscate REST API URL in Django

Question

Hello Django REST API Experts,

We are building University Course portals where app offers various user types like Professor, Students and Admins using DJANGO/REACT. We are using REST API to connect between backend and frontend.

So, far we are able to perform some basic operation and it really works great. However now I need help from this group to do following:

When students enrolled in course it generates an acknowledge document stating course description, and its prerequisite which needs to get signed by students to ensure student acknowledge they fulfill these requirements.

In order to do this we have following:

• Model for each course which contains the Content, Description and Prerequisite for each course.
• StudentCourseAck Model which has FK to Course, Signed Boolean field, Binary field to store signed doc.

User flow:

• Student logins to portal,
• Select the Course, which generate StudentCourseAck entry.
• Let Student review document and signed the document (on client side using sign pad).
• The Signature gets stored in PDF (as binary field).

So far so good…

Now we want to enhance the featureset which allows admin to email student the link of studentcouseack document incase its not signed before course start. Also this link should only be valid for 48 hours or else it will expire.

So we need some help to enhance these featuresets as follow:

• Current the API is exposed to frontend like: mysite.com/courseack/studentid/documentid
• However we want to encrypt this so the link look like this: mysite.com/uniqueid
• Where uniquid is mapped to /studentid/documented

So I have following design question:

• Question 1: Should we enhance StudentCourseAck which store the UUID for each document?
• Question 2: If I store UUID for each document, how do I make it expire once its generated?
• Question 3: When Student is finished signing, I need to update the document into database to ensure that right document is saved to right student profile, so how can I ensure this security requirement.

I would really appreciate some expert opinion or some guidance so we can proceed this feature implementation. Any other alternative which is simpler and easier to maintain.

Once again thank you for your time and consideration.

Thank You.

Answer 1

Any other alternative which is simpler and easier to maintain.

Keeping the above phrase in mind I propose this solution. Firstly I will not consider this as a DRF problem but as a general problem and proceed to answer your Questions.

The simple solution lies in 4 steps

1. Create a UUID field inside StudentCourseACK so that you can map this uuid with your url mysite.com/uniqueid, catch the document id inside the StudentCourseACK record as a foreign key and also create a created_at inside the model (this will be required for expiry timer)
2. Make a view inside your views.py that takes this StudentCourseACK UUID as a url parameter where you will have to fetch courseack, studentid and documentid from this StudentCourseACK mapping table and redirects it to mysite.com/courseack/studentid/documentid. When you link this view with your url pattern make sure the listing is at the very bottom.
3. To make an expiry timer you can check the created_at date in your StudentCourseAck record for 48hours limit before redirecting inside Step 2
4. Finally when the student is redirected to the mysite.com/courseack/studentid/documentid endpoint you will have to follow a simple process of getting the StudentCourseAck data via .filter(studentid="some value", documentid="somevalue") and make changes to this data accordingly.

Another thing that I realise is that you can completely ditch the long mysite.com/courseack/studentid/documentid url and correspond it's logic inside the new view, but I assume that you want to keep it that way.