Closed lalawow closed 4 years ago
I am confusing about the API design, is it designed for admin? But from the auth strategy seems it is for normal users. Many updates do not verify the user's identity. If I misunderstand pls point it out.
Your concern has a very good point. The lack of verification design can expose the system to some risks. I haven't started to design the authorization rules yet, since I think it depends on the users' needs and it's case by case. We can put a "role" in User Model, and use "authorizationValid()" middleware to do some verification. Before that, sure, if we only allow users involved and admin to operate those update/delete, that will be better practice for safety concern.
On Wed, Jun 10, 2020 at 12:28 PM Tommy notifications@github.com wrote:
I am confusing about the API design, is it designed for admin? but the auth strategy looks like it is for normal users. Many updates do not verify the user's identity. If I misunderstand pls point it out.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Wiredcraft/test-backend/pull/45#issuecomment-641713020, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAYM6UCJQNEL2BRKPNQ6OELRV4DVVANCNFSM4NY5YE5A .
Thanks all, this PR is good enough for our evaluation, closing
Tech stack
Docs
./design_intro.md
describes how I designed this server../how_to_run.md
describes how to run the server.