Thursday, 20 April 2017

REST API in MEAN stack, passed id vs id from session

I'm building a web app using MEAN stack.

While building the REST API I see a lot of examples with the following endpoint

/api/contacts/:id

for GET, PUT and DELETE methods.

I did something different, I enabled session in the Express framework and now I can see the user document id (for mongoDB) under req.session.req.payload._id when I do a HTTP request which enables me to access the document.

That why I also don't need to expose the user document id in the URL when I do a HTTP request.

My question is which method is better and safer to use?

Also, how can I get the user id in Angular to pass to the HTTP request in case I don't use sessions.

And a final one... I also use JWT as middle-ware before calling the function which updates the DB. This gives me some sense of security but wouldn't it be possible for a user with the correct token to do HTTP requests with different ids and by that getting, updating and deleting other users data? This won't be possible with the current method I'm using (sessions)



via Eliran Kanza

No comments:

Post a Comment