I have my backend endpoint for registering and logging in the users delivered trough RestApi or GraphQL to be more specific.
I want to implement role based system for my users.
The admins and moderators can be created on the admin module for example:
{
username: peter,
passowrd: peter123,
role: 'admin'
}
But the regular users that can be created on my application will send the same input but instead of the 'admin' the role 'user' would be send.
I was thinking about this approach and was wondering if it's secure ?
Can users change the request object and change the role to admin, and then have super user access ?
Is there some best practices about this, or is this completely safe ?
1 Answer 1
I would never give the user the chance to say what they can do (which is, after all, what a role defines). It's like saying "Hey, I'm David, and I'm a supersaiyan" while I might just be a regular human, and then everyone blindly accept that I'm a supersaiyan.
What your authorization service should do is only allow user to say who they are (e.g. hey, I'm David) and then the authorization service should say "ok David, you are a regular user" or "ok David, you are an admin". What this means is that the authorization service must know who you are and what you are (stored, for example, in a database), and then give you permissions based on that.
I recommend you to check RBAC and ABAC libraries, they usually implement well established practices.