rest - Passing user ID in body or in token -


i'm building rest api. api runs jwt authentication system.

obviously means paths secure need valid jwt token passed along request in authorization header. inside each jwt token have:

    sub: 1 //_id 

where sub id of authenticated user.

my question is, when pass token, there need pass user id in request body also? instance, have create premises method. requires post body contain name , description so:

    {         name: "test premises",         description: "lorem ipsum"     } 

in case, api have find user associate new premises verifying token passed valid, unencoding , retrieving sub field.

is method ok?

are there drawbacks?

should passing id's in body aswell?

is method ok

yes, that's point of authentication token.

should passing id's in body aswell?

you have really big security hole if allow user id sent client e.g. authenticated user create premises on behalf of user if knew (or spoofed) id.


Comments

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

jquery - Responsive Navbar with Sub Navbar -