Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
asgs786037dHow can you not have auth protection for your APIs? Are they returning "Hello, World!" or whay?
devNaut17237d@asgs basically out endpoints are Just calling their endpoints, we offload the client by doing some lil elaboration on responses,...
Other endpoints are, for example, a send mail endpoint, which has nothing to do whith the third party thing.
Since the bearer is released by the third party, the only way of protecting the mail endpoint Is to do a check by calling GET /orders of third party api and check It fails or not...
Otherwise we Need to create our own auth system, i hope so, but then we Need to ask the user to login with our account, then whit the third party account so we can call the api, and then ask the user for their id of the other api they want to include.
Another solution Will Be maybe, to have a database where we map our account with their api accounts and then map to the id of the other service....
But since they are the ones controlling accounts and visibility they should be writing all changes to our db...
I'm seriously loosing trak of their thoughts...
jespersh727837dLearn what you can, evolve in private, and then find a new place.
asgs786037d@devNaut I believe your system should have its own auth mechanism. Otherwise, if I happen to know your endpoints, I can hit them which will in turn hit your client's equivalents returning all the information they can
This looks like a security breach. You should talk to them and figure out what they want
devNaut17232dYes @asgs and i will report the beach to them, thanks
my sensation Is that they do not know how to behave or develope....
since they decided to have an api with user authentication, their users, and then to have us to make a new frontend which parte one: only used their api, part two: wants to call a third service, which is a public one with its authentication..
If they do not share their authentication system in some way to use It like an identity provider or so,
i'm Just gonna usa a filter on top of any endpoint which will actually call some of their endpoints and check of Is a 200 or 401, yay faith in IT Is gone for now 🙈😆 two companies and multiple developers involved and still this Is the status
Lor-inc43657hIsn't an identity token supposed to be a signed thing that you can validate in place if you know the pubkey?