Search code examples
c#entity-frameworkdatabase-designblazorprogressive-web-apps

How to create isolations between clients in an app

Hi I’m learning Blazor and I’m creating a backend & frontend app ( Blazor web assembly) It works well, but my question is related to security.

I have user, business customer, and invoice. It's a very simple app And user Id is a GUID and the others (business customer and invoice) are int & sequential (increment by 1 like 1,2, 3 and …)

enter image description here

Each user can not see the other user’s data and must not has access to them this app has 2 parts, an API backend, and a Blazor frontend.

lets add some data like :

enter image description here

And End users can use the API only too without using frontend

I have in Invoice Repository:

Task<Invoice> GetInvoicesListAsync(int businessId);

and after verification users can access its invoices List

if we have a verified enduser like “Alex” (in the second row pf user table), can be retrieve the data that its not belong to him Because BusinessId is sequential and when he knows his business Id is 99 , he can retrieve invoices for business 100,101,102 and … just with some trying like :

var lst = await GetInvoicesListAsync(101);

my questions are:

1- How we can stop that? Do I need to enforce enduser to enter UserId as well for security into the API params like this :

Task<Invoice> GetInvoicesListAsync(Guid userId, int businessId);

2- If I add userId then is that has impact on the performance? because in this case I need to do Inner join with user table too and if we have complex database then it has big impact on the performance

3- what is your advice

thanks

Solution

  • Answers as point list:

    1. No, you don't. The method GetInvoicesListAsync(int businessId) is good enough from a security point of view. You need to extract the list of business per user and check if the requested business is in the list, or more simply add a where / join condition filtering the invoices on the businesses of the user.

    2. inner join is not a problem if you have the right indexes. Use your DB explain query plan to verify that your query is using index and do not execute any full table scan

    3. when your user call the API you need to verify the user (valid token or cookie) and to obtain teh list of the business associated, so you don't need to receive this info from the API parameters. This is the biggest concern from a security point of view. The rule for secure API is "hey API, what's my name?"