search

miguelgrinberg / REST-auth

Example application for my RESTful Authentication with Flask article.
http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
MIT License
922 stars 337 forks source link

A security question regarding get_user #18

Closed oddobert closed 4 years ago

oddobert commented 4 years ago

Thank you for a wonderful resource. This is not as much a technical issue as it is a data protection / logical issue.

What is the purpose of exposing the get_user(id) function as a API-Call? The risk is that someone could iterate over the ids to get a full list of your users. Even by requiring login you would potentally be able to do the same as a registered user.

As far as I can see you are not needing the user id except to verify that the user has been created in the database. Wouldn't it be better to have that as a function of the User model, or as part of the new_user function?

My apologies if these are stupid questions.

miguelgrinberg commented 4 years ago

This is something that needs to be decided for each application. Some applications have public users, so this does not present any privacy issue. Some others, obviously you wouldn't want the list of users to be known, so you would not have a get_user endpoint in your API.

oddobert commented 4 years ago

Thank you for the answer, I will refactor accordingly.