Edge case - API to list units and cases for a given user - risk exposing too much information

[franck-boullier]

The problem:

We now have a MEFE API that retrieves the units and cases associated to a given user. As of today these API retreive ALL the units and ALL the cases for a given users.

This will become a problem in the following scenario:

• User A;

  • Has a Unee-T account.
  • Has created some unit himself in Unee-T

• Organization X manages many units in Unee-T

  • User A has been invited to some of units managed by organization X

Organization X has access to one of the API keys generated for User A (via the Unee-T Enterprise Interface).

If we use the current version of the API, then the API Key shown to Organization X will enable Organization X to:

• List ALL the units that User A can see (i.e the units created by User A himself + the units under management by Organization X that User A has been invited to)
• List ALL the cases that User A can see (i.e the cases in the "non-Organization X" units + the cases in the Organization X's units that User A has been invited to)

A possible solution:

We should make sure that every API keys are specific to:

• The MEFE user Id (as it is today)
• The MEFE user id of the MEFE user who created this MEFE API key (in this scenario the MEFE user ID associated to Organization X). AND We need to make sure that the API key that Organization X sees for User A only lists:
• Units owned by Organization X
• Cases in Units owned by Organization X

[kaihendry]

I know in AWS's dynamodb and I think in AWS Appsync you can create policies for fine grained access, so that you can say: only expose certain attributes, for certain users.

We could leverage this, so IIUC a "resolver" would need to be written to tell AWS Appsync how to fetch the data from MEFE. And otherwise AWS's tech would manage the API.

Big con as usual is that we become even more dependent on AWS ways of doing things, making it particularly challenging to host oneself or move to another solution.

[nbiton]

@kaihendry Thanks for the suggestions, but it wouldn't be needed.

Since we record who was the issuer of each user's API key, we can restrict the API results to return only units/ cases under units who are "owned" (managed) by that issuer. It will be fairly straightforward to implement.

[franck-boullier]

Fixed in the latest version of the master The API key will only return units and cases for units where the OwnerID is the same as the MEFE user ID of the user who generated the API key.