| Topic | Presenter | Summary | Duration |
| ----------------------------------------------------- | ---------- | --------------------------------------------------------------------------------------------------------- | -------- |
| How and When to Create Secure Custom Endpoints in CEF | Brendan L. | This snippet is from a Friday training that covers how and when to create secure custom endpoints in CEF. | 20:41 |00:00:07.350 --> 00:00:08.630 The the reason that, uh,00:00:08.630 --> 00:00:10.437 I wanted to talk about this is00:00:10.437 --> 00:00:12.546 that I've been seeing a lot of, uh,00:00:12.546 --> 00:00:15.408 like new endpoints created, uh, where?00:00:15.408 --> 00:00:17.484 Either an endpoint may00:00:17.484 --> 00:00:19.560 not actually be needed,00:00:19.560 --> 00:00:23.142 or it's an endpoint where the00:00:23.142 --> 00:00:25.536 operation is somewhat secure,00:00:25.536 --> 00:00:28.990 but there's not any security applied00:00:28.990 --> 00:00:32.735 to the actual endpoint to reflect that.00:00:32.740 --> 00:00:35.106 And so I wanted to talk about00:00:35.110 --> 00:00:37.210 basically the the the tools we00:00:37.210 --> 00:00:39.859 have in safe to secure endpoints up00:00:39.859 --> 00:00:43.042 some of the places you can look to00:00:43.042 --> 00:00:45.328 see examples of that being done.00:00:45.330 --> 00:00:51.006 And most importantly, when and why?00:00:51.010 --> 00:00:53.635 So let me open something that's relevant00:00:53.635 --> 00:00:56.267 first and then I'll share my screen.00:00:56.270 --> 00:00:59.847 Oh, I think this one's on release.00:00:59.850 --> 00:01:01.480 Start with some new stuff.00:01:04.080 --> 00:01:07.424 So a good example of this is if,00:01:07.430 --> 00:01:09.254 as a back end to your ever writing00:01:09.254 --> 00:01:11.377 an end point where you're getting00:01:11.377 --> 00:01:12.989 some information that requires.00:01:12.990 --> 00:01:16.670 Uhm, like knowing which user is logged in.00:01:16.670 --> 00:01:21.666 Uhm? You should never accept anything about00:01:21.666 --> 00:01:25.044 identifying the user from the front end up.00:01:25.044 --> 00:01:27.586 That should always be a00:01:27.586 --> 00:01:28.478 backend authoritative.00:01:28.478 --> 00:01:32.062 You know using the session at the service00:01:32.062 --> 00:01:35.134 layer to figure out who is logged in.00:01:35.140 --> 00:01:36.080 If it's the type of,00:01:36.080 --> 00:01:37.928 if it's the type of request where not00:01:37.928 --> 00:01:39.416 being logged in as an error state,00:01:39.420 --> 00:01:42.150 we have tools that can do00:01:42.150 --> 00:01:43.970 exactly that for you.00:01:43.970 --> 00:01:46.474 But that's something that I've seen a lot00:01:46.474 --> 00:01:49.280 is a endpoints where you'll need some00:01:49.280 --> 00:01:52.139 kind of user information will be needed,00:01:52.140 --> 00:01:54.460 and the endpoint will just00:01:54.460 --> 00:01:57.730 let you pass in a user ID.00:01:57.730 --> 00:01:59.806 And that's a huge no no.00:01:59.810 --> 00:02:02.010 For a variety of reasons.00:02:02.010 --> 00:02:04.446 Uhm, not the least of which00:02:04.446 --> 00:02:06.070 being somebody could just.00:02:06.070 --> 00:02:08.176 Make a program in three seconds00:02:08.176 --> 00:02:10.249 that sends every number in this00:02:10.249 --> 00:02:12.335 under the Sun to that endpoint and00:02:12.340 --> 00:02:15.676 runs that operation for every user.00:02:15.680 --> 00:02:17.284 And if you're unlucky,00:02:17.284 --> 00:02:20.372 your operation might be a git that00:02:20.372 --> 00:02:22.780 returns sensitive information and.00:02:22.780 --> 00:02:25.024 Now you've just leaked a whole00:02:25.024 --> 00:02:26.520 bunch of sensitive information.00:02:26.520 --> 00:02:29.394 So. I'm gonna.00:02:29.394 --> 00:02:32.358 Go ahead and yeah, I'm on the right branch.00:02:32.360 --> 00:02:33.400 Share my screen here.00:02:37.400 --> 00:02:39.818 I hate teams, minimizes the the00:02:39.818 --> 00:02:42.419 window when you share your screen.00:02:42.420 --> 00:02:45.396 Kind of annoying, but it's whatever,00:02:45.400 --> 00:02:49.630 alright so? Let's let's talk about,00:02:49.630 --> 00:02:51.508 I guess some examples of this.00:02:51.510 --> 00:02:53.904 So a really good example of00:02:53.904 --> 00:02:56.460 something like this is looking at.00:02:56.460 --> 00:03:00.285 Uh, the sales order or a lot of other.00:03:00.290 --> 00:03:01.378 A lot of ones. Other ones have this,00:03:01.380 --> 00:03:02.370 but sales orders that could.00:03:02.370 --> 00:03:03.591 Example of it.00:03:03.591 --> 00:03:06.440 UM, so we have stuff like get00:03:06.534 --> 00:03:11.390 current user sales orders. Uhm?00:03:11.390 --> 00:03:12.910 There's someone in here somewhere.00:03:12.910 --> 00:03:14.014 Let me see if I can find it.00:03:18.080 --> 00:03:19.515 I guess it's not general00:03:19.515 --> 00:03:20.376 slash store perfect.00:03:20.380 --> 00:03:22.618 OK, so a sales order obviously00:03:22.618 --> 00:03:24.110 is privileged information to00:03:24.175 --> 00:03:25.820 the person who ordered it,00:03:25.820 --> 00:03:27.752 so you should not be able to00:03:27.752 --> 00:03:29.727 just get any order by its ID.00:03:31.930 --> 00:03:34.846 That is why the get sales order by ID00:03:34.846 --> 00:03:36.646 endpoints, not exposed to the front end.00:03:36.650 --> 00:03:38.645 Instead, what we have exposed to the00:03:38.645 --> 00:03:41.360 front end is get secure sales order.00:03:43.930 --> 00:03:45.102 Is the screen share00:03:45.102 --> 00:03:46.274 working for other people?00:03:46.280 --> 00:03:48.114 Is it just me that's doing it?00:03:48.120 --> 00:03:48.900 OK, it's just me.00:03:48.900 --> 00:03:50.670 I'll work on that. Sorry, OK.00:03:53.290 --> 00:03:56.398 Anyhow, a so you can see.00:03:56.400 --> 00:03:59.260 Basically it's all it does, is it it?00:03:59.260 --> 00:04:01.672 It implements ID, so obviously that means00:04:01.672 --> 00:04:04.456 that it reads an ID from the request00:04:04.456 --> 00:04:06.892 and it returns a sales order model.00:04:06.900 --> 00:04:08.148 Probably pretty much exactly the same00:04:08.148 --> 00:04:09.589 thing as what the other one does.00:04:09.590 --> 00:04:10.998 The differences in the00:04:10.998 --> 00:04:12.054 implementation on this.00:04:12.060 --> 00:04:13.150 So as you can see,00:04:13.150 --> 00:04:14.240 as you can see, again,00:04:14.240 --> 00:04:16.760 this does not ask the front end or does00:04:16.760 --> 00:04:19.518 not accept anything identifying the user.00:04:19.520 --> 00:04:20.888 In its implementation.00:04:24.210 --> 00:04:27.266 Throw with no rights to record a sales00:04:27.266 --> 00:04:29.294 order async so this actually new.00:04:29.294 --> 00:04:31.190 I've never seen this one before,00:04:31.190 --> 00:04:34.326 but let's go look at what that does.00:04:34.330 --> 00:04:36.735 Uhm, they have no rights00:04:36.735 --> 00:04:38.659 to record sales collection.00:04:38.660 --> 00:04:41.068 Uhm, so it goes through and you know,00:04:41.070 --> 00:04:45.030 depending on the the API it does something.00:04:45.030 --> 00:04:49.700 Uhm? So. You can look at that,00:04:49.700 --> 00:04:50.800 and that's an interface.00:04:50.800 --> 00:04:52.450 Which is the workflow and in00:04:52.508 --> 00:04:54.254 this case I would assume that's00:04:54.254 --> 00:04:55.940 probably the sales order workflow.00:04:58.770 --> 00:05:00.360 It probably gets passed in here, yes?00:05:02.440 --> 00:05:07.848 OK. Storefront I did it again.00:05:11.560 --> 00:05:13.918 So then we can look at00:05:13.918 --> 00:05:16.020 exactly how it handles that.00:05:16.020 --> 00:05:19.282 So it grabs the set filters by00:05:19.282 --> 00:05:21.500 the ID and then filters by,00:05:21.500 --> 00:05:23.420 potentially if it's in store ID,00:05:23.420 --> 00:05:25.950 franchise brand, whatever it is.00:05:25.950 --> 00:05:26.925 And then ultimately,00:05:26.925 --> 00:05:30.050 at the end of it, if it's storefront,00:05:30.050 --> 00:05:33.550 it also filters by the account ID,00:05:33.550 --> 00:05:37.654 and if at the end of it it tries to see00:05:37.654 --> 00:05:40.150 if there's any ID that matches that.00:05:40.150 --> 00:05:41.086 If there's not,00:05:41.086 --> 00:05:43.657 then it'll throw an error that says you00:05:43.657 --> 00:05:45.904 don't have rights to view this record.00:05:45.910 --> 00:05:48.470 So I'll try to get back to work.00:05:48.470 --> 00:05:49.823 There's also additional00:05:49.823 --> 00:05:52.078 implementation of that in here.00:05:52.080 --> 00:05:53.879 Uhm where it reads the model and00:05:53.879 --> 00:05:55.639 then after the model comes back,00:05:55.640 --> 00:05:57.400 it confirms that the model is not null,00:05:57.400 --> 00:06:00.640 meaning that you gave it a valid ID.00:06:00.640 --> 00:06:04.077 Uh also confirms that the account ID,00:06:04.080 --> 00:06:05.406 uh, or sorry,00:06:05.406 --> 00:06:08.254 the sales orders account ID is inside00:06:08.254 --> 00:06:10.473 the list of account ID's that were00:06:10.473 --> 00:06:13.290 passed in and that the model is active.00:06:13.290 --> 00:06:14.730 If all of these paths,00:06:14.730 --> 00:06:16.188 then you'll get your model back.00:06:16.190 --> 00:06:17.520 But if your account is not in00:06:17.520 --> 00:06:19.066 the list or the ID is not valid,00:06:19.070 --> 00:06:21.226 or anything else, all you get is00:06:21.226 --> 00:06:23.179 unauthorized to be the sales order.00:06:23.180 --> 00:06:25.360 So.00:06:25.360 --> 00:06:27.474 That's a really good example of justice.00:06:27.480 --> 00:06:29.916 Just simple securing of an end point.00:06:29.920 --> 00:06:31.579 It doesn't take that much to implement.00:06:31.580 --> 00:06:33.196 It looks like a lot of this throw00:06:33.196 --> 00:06:35.012 off no rights to to whatever is00:06:35.012 --> 00:06:36.372 generic sized enough that you00:06:36.431 --> 00:06:37.559 could probably quickly implement00:06:37.559 --> 00:06:41.150 it for new types if you needed to.00:06:41.150 --> 00:06:41.650 But generally,00:06:41.650 --> 00:06:44.050 the way that I do it is is pretty00:06:44.050 --> 00:06:46.304 much exactly how it's done right?00:06:46.304 --> 00:06:48.600 In here I just.00:06:48.600 --> 00:06:51.198 Usually I'll build the query myself,00:06:51.200 --> 00:06:52.768 but it and and you know effectively00:06:52.768 --> 00:06:53.620 all you're doing is.00:06:53.620 --> 00:06:55.455 You're just confirming that some00:06:55.455 --> 00:06:57.625 information on the record matches the00:06:57.625 --> 00:06:59.536 current user and that that user is00:06:59.536 --> 00:07:01.527 allowed to even look at this record.00:07:01.530 --> 00:07:03.357 And if they're not, throw an error.00:07:03.360 --> 00:07:05.280 Don't throw an error that00:07:05.280 --> 00:07:06.816 says anything too specific.00:07:06.820 --> 00:07:07.402 Uhm,00:07:07.402 --> 00:07:11.476 because you know with too much specificity,00:07:11.480 --> 00:07:13.730 people can sort of deduce different00:07:13.730 --> 00:07:15.230 information based on that.00:07:17.780 --> 00:07:19.430 Hence why like whenever, if pretty00:07:19.430 --> 00:07:21.140 much anything goes wrong at checkout,00:07:21.140 --> 00:07:22.796 you just get unknown transaction error00:07:22.796 --> 00:07:25.057 and if anything goes wrong at login it00:07:25.057 --> 00:07:26.713 always says invalid username or password.00:07:29.850 --> 00:07:31.614 So the less information you can00:07:31.614 --> 00:07:33.480 give while still giving some kind00:07:33.480 --> 00:07:35.055 of error for secure transactions00:07:35.055 --> 00:07:37.540 like that, the better. Uhm?00:07:37.540 --> 00:07:40.900 So, uh, onto some of the other00:07:40.900 --> 00:07:43.680 things that we have on the.00:07:43.680 --> 00:07:49.309 On the side of tools you can use to do stuff.00:07:49.310 --> 00:07:50.864 Uhm? Let's see.00:07:50.864 --> 00:07:55.559 If I can find a good example of this,00:07:55.560 --> 00:07:58.864 actually I'm working on CMA over here so.00:07:58.870 --> 00:07:59.908 You can go look at this.00:07:59.910 --> 00:08:01.236 There's probably some stuff over here.00:08:06.590 --> 00:08:08.506 Yeah, so any service.00:08:08.506 --> 00:08:12.210 So any class that derives from clarity,00:08:12.210 --> 00:08:15.288 commerce, service base has access to.00:08:15.290 --> 00:08:19.046 A current user current user ID,00:08:19.050 --> 00:08:21.731 current user ID or throw 401 current00:08:21.731 --> 00:08:23.780 account current account or throw 401,00:08:23.780 --> 00:08:24.968 and so on and so forth.00:08:24.970 --> 00:08:29.044 These are utilities you can use in your00:08:29.044 --> 00:08:31.993 service layer to determine what actual00:08:31.993 --> 00:08:34.808 authenticated user made the request.00:08:34.810 --> 00:08:36.755 The difference between some of00:08:36.755 --> 00:08:39.330 them is like with current user ID.00:08:39.330 --> 00:08:40.492 You could see if my mouse over00:08:40.492 --> 00:08:41.549 that it's a nullable int,00:08:41.550 --> 00:08:43.328 meaning that if we users logged in,00:08:43.330 --> 00:08:44.558 you'll get their ID,00:08:44.558 --> 00:08:45.786 otherwise you'll get null.00:08:45.790 --> 00:08:48.492 Uhm? If you use this one and00:08:48.492 --> 00:08:50.510 nobody is logged in again,00:08:50.510 --> 00:08:51.350 all you're getting is null.00:08:51.350 --> 00:08:56.189 But if you use or throw 401 on the end of it,00:08:56.190 --> 00:08:57.842 the difference is that if a user00:08:57.842 --> 00:08:59.578 is logged in, you'll get their ID.00:08:59.578 --> 00:09:02.230 If they're not, this will throw an exception,00:09:02.230 --> 00:09:05.338 like an unauthorized exception.00:09:05.340 --> 00:09:07.881 So you can use this to basically00:09:07.881 --> 00:09:09.767 enforce somebody being logged in00:09:09.767 --> 00:09:11.945 or the request does not proceed00:09:11.945 --> 00:09:13.799 past whatever point you're at,00:09:13.800 --> 00:09:17.195 so these are really good to use.00:09:17.200 --> 00:09:18.190 Like I said,00:09:18.190 --> 00:09:19.510 there's also account versions00:09:19.510 --> 00:09:21.718 of it current account so you can00:09:21.718 --> 00:09:23.194 get current account and one level00:09:23.194 --> 00:09:24.700 down for associated accounts,00:09:24.700 --> 00:09:26.230 which obviously gives you a00:09:26.230 --> 00:09:27.476 list it's current account ID,00:09:27.476 --> 00:09:29.332 current account ID, or throw 401.00:09:29.332 --> 00:09:30.100 Same thing.00:09:30.100 --> 00:09:31.324 You can also do.00:09:31.324 --> 00:09:33.523 There's methods to get the entire account00:09:33.523 --> 00:09:35.915 model and user model if you need it.00:09:35.920 --> 00:09:37.252 Most of the time,00:09:37.252 --> 00:09:39.810 you probably don't usually just need like ID.00:09:39.810 --> 00:09:40.164 Uhm?00:09:40.164 --> 00:09:40.872 And then,00:09:40.872 --> 00:09:43.350 in terms of either users or account,00:09:43.350 --> 00:09:44.754 you just use whichever one makes00:09:44.754 --> 00:09:46.389 the most sense for your endpoint.00:09:46.390 --> 00:09:49.008 Depending on what it is you're doing.00:09:49.010 --> 00:09:51.908 But we have those available to us.00:09:51.910 --> 00:09:54.640 UM, another really important thing is that00:09:54.640 --> 00:09:58.360 that type of there should never be anything.00:09:58.360 --> 00:10:01.512 Beyond the service layer.00:10:01.512 --> 00:10:03.876 That's relevant too.00:10:03.880 --> 00:10:05.312 The logged in user,00:10:05.312 --> 00:10:06.744 if that makes sense.00:10:06.750 --> 00:10:08.542 So if you ever need to figure out00:10:08.542 --> 00:10:10.188 what users logged in that needs to00:10:10.188 --> 00:10:12.099 be passed in from the service layer,00:10:12.100 --> 00:10:14.008 there shouldn't be any sort of00:10:14.008 --> 00:10:15.976 attempting to deduce that based on00:10:15.976 --> 00:10:18.412 other information in a workflow or something.00:10:18.420 --> 00:10:18.770 Uhm,00:10:18.770 --> 00:10:21.220 let the let the service layer handle00:10:21.220 --> 00:10:23.159 sessions and anything related to00:10:23.159 --> 00:10:25.430 that and any any further down.00:10:25.430 --> 00:10:28.830 If you need a user ID or something passed in,00:10:28.830 --> 00:10:30.125 figure out how that figure out how00:10:30.125 --> 00:10:31.786 you can get that to come from the00:10:31.786 --> 00:10:32.851 service layer instead of trying00:10:32.893 --> 00:10:34.015 to deduce it some other way.00:10:37.290 --> 00:10:41.465 Uhm? So let's see what else00:10:41.465 --> 00:10:44.570 do we have to talk about,00:10:44.570 --> 00:10:46.746 so I guess another thing I wanted to00:10:46.746 --> 00:10:49.345 cover was when to make an endpoint00:10:49.345 --> 00:10:52.680 and when not to make an end point.00:10:52.680 --> 00:10:54.904 So. I guess the the main kind of00:10:54.904 --> 00:10:56.767 important thing to know is that not00:10:56.767 --> 00:10:58.584 everything has to be an end point00:10:58.584 --> 00:11:01.190 in order for in order for you to00:11:01.190 --> 00:11:03.030 add some kind of functionality.00:11:03.030 --> 00:11:05.262 The only time you need to make an end00:11:05.262 --> 00:11:07.103 point is if something outside the00:11:07.103 --> 00:11:09.330 back end needs to trigger the action.00:11:09.330 --> 00:11:10.980 Obviously for a lot of people00:11:10.980 --> 00:11:12.691 that have been working on stuff00:11:12.691 --> 00:11:14.086 for awhile this makes sense,00:11:14.090 --> 00:11:16.550 but I'm mostly speaking for newer00:11:16.550 --> 00:11:19.509 folks that are just getting started.00:11:19.510 --> 00:11:22.535 Hopefully recording of this will will00:11:22.535 --> 00:11:24.950 be found useful in the future too,00:11:24.950 --> 00:11:29.864 but I guess a good example of this is.00:11:29.870 --> 00:11:32.030 Uh, anything related to like00:11:32.030 --> 00:11:34.672 manipulating of data that the front00:11:34.672 --> 00:11:37.096 end doesn't ever need to employ,00:11:37.100 --> 00:11:40.750 like explicitly trigger to happen,00:11:40.750 --> 00:11:43.134 but that still needs to be kind of00:11:43.134 --> 00:11:45.127 broken out into its own method.00:11:45.130 --> 00:11:47.762 That can just be a workflow method00:11:47.762 --> 00:11:50.323 that lives by itself and gets00:11:50.323 --> 00:11:52.573 called by some other workflow.00:11:52.580 --> 00:11:54.575 That's that would be the the ideal00:11:54.575 --> 00:11:56.654 way to trigger that instead of a00:11:56.654 --> 00:11:58.400 instead of making it an endpoint00:11:58.459 --> 00:12:00.377 and having the front end call it,00:12:00.380 --> 00:12:03.548 because generally speaking you don't want.00:12:03.550 --> 00:12:05.574 You don't want to give them the front00:12:05.574 --> 00:12:07.660 end too much ability to manipulate.00:12:07.660 --> 00:12:08.020 Data,00:12:08.020 --> 00:12:10.540 especially when we talk about the storefront.00:12:10.540 --> 00:12:12.717 Obviously the admin you want as much00:12:12.720 --> 00:12:14.496 manipulating of data as you can,00:12:14.500 --> 00:12:16.789 but with storefront you wanna try to.00:12:16.790 --> 00:12:17.430 Basically,00:12:17.430 --> 00:12:19.990 control all data manipulation00:12:19.990 --> 00:12:21.695 through through specific endpoints00:12:21.695 --> 00:12:24.430 that do the thing they need to do.00:12:24.430 --> 00:12:26.338 Hence we don't have endpoints for00:12:26.338 --> 00:12:28.010 creating carts and cart items.00:12:28.010 --> 00:12:30.434 We have an add to cart endpoint and00:12:30.434 --> 00:12:32.710 that endpoint handles creating the cart,00:12:32.710 --> 00:12:33.974 creating the card item,00:12:33.974 --> 00:12:35.558 updating quantities, all that stuff.00:12:35.558 --> 00:12:37.770 We don't let the front end have00:12:37.837 --> 00:12:39.369 complete fine grained control00:12:39.369 --> 00:12:41.667 over how all of that works.00:12:41.670 --> 00:12:43.266 We just we handle that on00:12:43.266 --> 00:12:46.538 the back end with a mix of.00:12:46.540 --> 00:12:49.949 Session information and other such things so.00:12:52.340 --> 00:12:54.168 You can kind of.00:12:54.168 --> 00:12:56.766 Think basically just think through what00:12:56.766 --> 00:12:59.214 the what it is that you're working on,00:12:59.220 --> 00:13:01.460 and if there's any reason the front00:13:01.460 --> 00:13:04.019 end would ever need to call an endpoint00:13:04.020 --> 00:13:07.260 intentionally to trigger some action,00:13:07.260 --> 00:13:09.054 or if the action will always00:13:09.054 --> 00:13:11.552 be a side effect of some other00:13:11.552 --> 00:13:13.188 endpoint that already exists.00:13:13.190 --> 00:13:18.012 So. Uhm? Let's see.00:13:18.012 --> 00:13:21.220 If there's any other cool stuff I can00:13:21.310 --> 00:13:22.950 talk about, do I already have this?00:13:22.950 --> 00:13:24.566 All this is literally the final I'm in,00:13:24.570 --> 00:13:26.870 I can't read. Uhm?00:13:29.670 --> 00:13:32.757 So for example, some of these require00:13:32.757 --> 00:13:35.095 an authenticate attribute on the on00:13:35.095 --> 00:13:36.820 the route itself, the route class.00:13:36.820 --> 00:13:39.364 All that means is that if the user if00:13:39.364 --> 00:13:41.009 there's no user authenticated when00:13:41.009 --> 00:13:42.980 this request is called, it just.00:13:44.990 --> 00:13:46.000 It will throw an error,00:13:46.000 --> 00:13:48.060 so I don't remember exactly00:13:48.060 --> 00:13:51.198 which error, probably a 401. But00:13:53.610 --> 00:13:55.740 yeah, so that's a good one to know about is00:13:55.795 --> 00:13:57.925 that you have that authenticated attribute,00:13:57.930 --> 00:14:01.808 the used in the attributes are also.00:14:01.810 --> 00:14:04.395 You know tangentially related to00:14:04.395 --> 00:14:07.106 securing endpoints if you don't need00:14:07.106 --> 00:14:09.201 to expose endpoint to storefront00:14:09.201 --> 00:14:12.792 or to admin or whatever. Don't uhm.00:14:12.792 --> 00:14:17.058 Just only expose them to whatever.00:14:17.060 --> 00:14:18.086 Whatever portals actually00:14:18.086 --> 00:14:20.832 need to make use of them. Uh.00:14:20.832 --> 00:14:25.676 Yeah, basically anytime you make an endpoint,00:14:25.680 --> 00:14:27.822 ask yourself if there's a way that you could00:14:27.822 --> 00:14:29.877 cheese that endpoint to get some information.00:14:29.880 --> 00:14:31.770 You probably shouldn't be able to get.00:14:31.770 --> 00:14:36.299 And if the answer is possibly then.00:14:36.300 --> 00:14:36.954 I don't know,00:14:36.954 --> 00:14:39.188 dig into it some more and see if you can't.00:14:39.190 --> 00:14:41.665 Add an extra layer of00:14:41.665 --> 00:14:43.150 securing the information.00:14:43.150 --> 00:14:45.286 Uhm, this is especially important as00:14:45.286 --> 00:14:47.730 we start doing like HIPAA projects.00:14:47.730 --> 00:14:50.334 Uh, and any other projects that00:14:50.334 --> 00:14:52.070 are handling sensitive information00:14:52.135 --> 00:14:56.138 where there's more than just a.00:14:56.140 --> 00:14:58.590 Uh.00:14:58.590 --> 00:15:00.186 I guess more than just like00:15:00.186 --> 00:15:01.250 a person you know,00:15:01.250 --> 00:15:02.966 email and name on the other00:15:02.966 --> 00:15:05.268 side of the of the of the data.00:15:05.270 --> 00:15:07.895 There could be potentially sensitive00:15:07.895 --> 00:15:09.995 medical data with extremely.00:15:10.000 --> 00:15:14.375 Punitive legal consequence if that leaks out.00:15:14.380 --> 00:15:17.270 So. Uh.00:15:17.270 --> 00:15:20.286 Always good to air on the side of00:15:20.286 --> 00:15:21.690 over securing things.00:15:21.690 --> 00:15:23.018 Uh, there's really not.00:15:23.018 --> 00:15:25.363 Such thing as over securing it unless00:15:25.363 --> 00:15:27.344 you over secure it to the point00:15:27.344 --> 00:15:30.078 that it doesn't work anymore but.00:15:30.078 --> 00:15:32.682 Always good to.00:15:32.682 --> 00:15:33.550 Uhm,00:15:33.550 --> 00:15:37.480 just to just add whatever extra layers of uh,00:15:37.480 --> 00:15:39.220 checks for if the person is00:15:39.220 --> 00:15:41.389 allowed to be making the request,00:15:41.390 --> 00:15:43.982 or that it makes sense that that person00:15:43.982 --> 00:15:46.657 would be accessing some specific data.00:15:46.660 --> 00:15:48.520 And so on and so forth.00:15:52.170 --> 00:15:54.426 And this also only took like 30 minutes.00:15:54.430 --> 00:15:56.033 I don't know how I thought it00:15:56.033 --> 00:15:57.608 would take much longer. Uhm?00:15:57.608 --> 00:16:01.432 So I guess if anybody has any questions,00:16:01.440 --> 00:16:04.112 I'll. I can speak, or if anybody00:16:04.112 --> 00:16:05.478 wants to add anything that I forgot,00:16:05.480 --> 00:16:09.088 'cause that's always probable.00:16:09.090 --> 00:16:11.550 And then otherwise.00:16:11.550 --> 00:16:13.572 Uh, I guess I'll just keep00:16:13.572 --> 00:16:15.390 working on this discount thing.00:16:15.390 --> 00:16:18.030 That I'm working on.00:16:18.030 --> 00:16:19.294 It was nice then.00:16:19.294 --> 00:16:22.298 I mean RO had a lot of these endpoints00:16:22.298 --> 00:16:24.664 that could have been cheesed as you.00:16:24.670 --> 00:16:26.290 In the parlance of our times,00:16:26.290 --> 00:16:27.938 as you said, right,00:16:27.938 --> 00:16:31.078 Roe had some and could have been cheesed.00:16:31.078 --> 00:16:32.752 Uh, is there any other examples you00:16:32.752 --> 00:16:34.576 can think of off the top of your00:16:34.576 --> 00:16:35.932 head that have been cheesy lately?00:16:39.100 --> 00:16:43.250 I mean so. To be topical on it,00:16:43.250 --> 00:16:45.538 uh, the way that a certain part of00:16:45.538 --> 00:16:46.989 the functionality is implemented.00:16:46.990 --> 00:16:49.875 On CMC, we're using Serializable00:16:49.875 --> 00:16:52.183 attributes on the user.00:16:52.190 --> 00:16:54.619 The problem with that is that the00:16:54.619 --> 00:16:57.171 user can call update user on their00:16:57.171 --> 00:16:59.370 own user and change their attributes.00:16:59.370 --> 00:17:02.070 So if you're storing any attribute in that00:17:02.070 --> 00:17:06.830 that involves some process to be completed.00:17:06.830 --> 00:17:08.972 Or any attribute information on that00:17:08.972 --> 00:17:11.260 user that's supposed to be like00:17:11.260 --> 00:17:12.848 consistent state between visits.00:17:12.850 --> 00:17:14.790 Yeah, pay user. For example.00:17:14.790 --> 00:17:15.494 Yeah exactly.00:17:15.494 --> 00:17:17.606 Yeah, the user can change any00:17:17.606 --> 00:17:19.348 attribute they want at anytime00:17:19.348 --> 00:17:20.978 with that update user call.00:17:20.980 --> 00:17:24.040 And if so, if somebody.00:17:24.040 --> 00:17:26.790 What's stored I'm looking for?00:17:26.790 --> 00:17:27.436 Some.00:17:27.436 --> 00:17:30.020 I guess bad actor,00:17:30.020 --> 00:17:32.972 uh or whatever you wanna call it a00:17:32.972 --> 00:17:37.396 figures that out then they could potentially.00:17:37.400 --> 00:17:39.728 More or less game the system00:17:39.728 --> 00:17:42.102 into skipping steps in a process00:17:42.102 --> 00:17:44.328 or marking things as done or.00:17:44.330 --> 00:17:47.540 Uh, or giving themselves certain.00:17:47.540 --> 00:17:47.906 Attributes,00:17:47.906 --> 00:17:50.468 if they can figure out what the00:17:50.468 --> 00:17:52.944 correct ones are that allows them more00:17:52.944 --> 00:17:55.857 or less to take advantage of the website so.00:17:55.860 --> 00:17:58.044 And I guess that kind of goes back00:17:58.044 --> 00:18:00.420 to the other side of it is not00:18:00.420 --> 00:18:02.027 only is securing the endpoints00:18:02.027 --> 00:18:04.199 themselves a good way of of,00:18:04.200 --> 00:18:06.034 you know, taking care of the problem,00:18:06.040 --> 00:18:08.992 but also making sure that the00:18:08.992 --> 00:18:11.510 place you're storing the data.00:18:11.510 --> 00:18:16.030 You know at all is secure in the first place.00:18:16.030 --> 00:18:17.104 In general,00:18:17.104 --> 00:18:19.789 serializable attributes are not secure.00:18:19.790 --> 00:18:23.230 They should not be used to store any00:18:23.230 --> 00:18:25.819 secure information on any record really.00:18:25.820 --> 00:18:28.820 Sometimes they are not ideal,00:18:28.820 --> 00:18:29.430 but.00:18:31.820 --> 00:18:34.034 We really should be moving away00:18:34.034 --> 00:18:35.510 from using serializable attributes00:18:35.573 --> 00:18:37.553 as anything other than appending a00:18:37.553 --> 00:18:39.337 little bit of additional descriptive00:18:39.337 --> 00:18:42.890 information to a record. Uhm?00:18:42.890 --> 00:18:45.123 And if that if that means that00:18:45.123 --> 00:18:47.268 a project needs a schema change,00:18:47.270 --> 00:18:48.740 then so be it up.00:18:48.740 --> 00:18:50.612 It's a whole lot better to spend a00:18:50.612 --> 00:18:52.224 couple hours and add a new table00:18:52.224 --> 00:18:54.380 to the database than it is to leak00:18:54.380 --> 00:18:56.220 sensitive information and then get sued.00:18:59.280 --> 00:18:59.590 Yeah.00:19:13.440 --> 00:19:16.410 So. On that00:19:16.410 --> 00:19:20.470 have any thoughts, questions?00:19:20.470 --> 00:19:22.879 Additions, subtractions, even.00:19:31.000 --> 00:19:32.449 No, but I would say this might be a00:19:32.449 --> 00:19:33.987 good addition to back end Cert since00:19:33.987 --> 00:19:35.440 that's what I'm working on right now.00:19:35.440 --> 00:19:39.418 Might be a nice recording to have in there.00:19:39.420 --> 00:19:41.618 100% yeah yeah, even if it's not00:19:41.618 --> 00:19:42.560 specifically this recording.00:19:42.560 --> 00:19:45.044 The Yeah this this absolutely needs00:19:45.044 --> 00:19:47.669 to be like mandatory knowledge for00:19:47.669 --> 00:19:50.777 anybody that's gonna be working in self.00:19:50.780 --> 00:19:54.706 Uhm? It's just how to how to00:19:54.706 --> 00:19:57.370 write your code in a way that is.00:19:57.370 --> 00:20:01.024 Not filled with holes like Swiss cheese.00:20:01.030 --> 00:20:04.493 Uhm? And again, yeah,00:20:04.493 --> 00:20:06.598 it's this just becomes more00:20:06.598 --> 00:20:08.479 important as we move into.00:20:08.480 --> 00:20:10.478 A HIPAA and things like that,00:20:10.480 --> 00:20:13.162 where the the ramifications for leaking00:20:13.162 --> 00:20:16.193 information are a lot worse than on00:20:16.193 --> 00:20:18.533 just a regular E commerce website.00:20:18.540 --> 00:20:22.236 We have to be especially mindful00:20:22.240 --> 00:20:24.130 of the security of anything we're00:20:24.130 --> 00:20:25.750 doing on sites like that.