chrismclarke
commented
6 months ago Some initial thoughts related to current endpoints
General
Likely should use rate-limiting to reduce potential server load from repeated requests by bad actors
GET requests
When used to enumerate large response lists these could potentially put a lot of pressure on the server. Given that these are not used by individual users they should likely be restricted to authenticated users (or some sort of auth token). For individual requests I would assume less prone to abuse as would need to know uuid of user to pull data (and use of rate-limiting should prevent brute-force attempts). The only way I'm aware to restrict would be using a tool like firebase app check that verifies requests are coming from a particular app, however this might not be ideal as would force vendor lock-in.
POST requests
For individual users setting their contact fields likely these will need to remain public, and so could in theory be prone to abuse if one user guesses another users uuid and sets data to their profile. I think the likelihood and consequences of this are quite minimal (particularly as local user data resyncs).
deployment headers
We use custom headers to specify deployment. These can be used also to initialise entirely new DBs on demand, which is not a particularly destructive action but may become a nuisance if abused. May want to consider restricting ability to create new dbs to auth token. Likely the best way to implement would be using our existing workflow system and encrypted token variable to add some sort of yarn workflow db configure that sets up for first time.
DELETE requests
These were setup more as temp/testing and should probably just be removed or put behind auth token
What? Currently the server api provides endpoints that are publically available to users without authentication. This is a requirement as most of the apps we use do not enforce login, however it does leave the endpoints open to abuse.
We should consider what additional protections should/could be added to API endpoints
How? Likely start with initial discussion and RFC document, before implementing changes. Creating issue here to track updates.