Due to the fact that this is not an open API for an open web service I need to think about securing the URLs. Each user will have a different level of access, a booker shouldn't be able to delete drivers or account customers. This could be set with regard to the URLs a client application can send. However there is the risk that if the API is accessible over the Internet which it would be for account customers that someone could attempt to access private information. For example a URL of drivers/32 could return the full details of a driver, name address, phone numbers etc. Someone who could guess the URL could type it into a web browser and gain access to information that should not be shared.
This comes back to logging into the system, if a user is not logged in then the server should return a 401 status 'Unauthorized'. If a user is logged in but doesn't have the correct level of status, for example an account customer trying to delete a driver then they should get a 405 status 'Method Not Allowed' and then the list of methods applicable to them GET, HEAD should be returned.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment