For instance, let's say I'm getting a picture for a user. The client code might call http://ift.tt/1Ze3r35 and my app will then send back a URL for the appropriate image to load. Internally, it'd be making an API call to /v2.6/{user_id}/picture literally just taking the user parameter it receives and placing it in that string. I think I want to keep this serverside so that the client doesn't have to worry about where the profile picture comes from (if I end up adding, for example, Google+ login in the future).
Is this a security concern? Could a nefarious user make a call to http://ift.tt/1XhIlnf and then have it run /v2.6/destructiveEndpoint/picture? Or are there no such destructive endpoints to worry about (since the app secret is not being used here). If there are destructive endpoints to worry about, I should then be making sure that whatever userid I get is a valid one before using it, correct?
Aucun commentaire:
Enregistrer un commentaire