The problem
So there you are, Alice, hacking away at a web application on a weekend night while you should probably be doing something social or resting from work or school or whatever. You know what I’m talking about. It’s your third week straight staying up late on a Friday night, working on that super clean web API.
The API, or Application Programming Interface, in question is the backend for that “Tinder but for naked mole rats” mobile app that you’re building. You see, you let your friend Bob, from highschool (now a Business major), convince you of building that app entirely on your own. Of course, you only agreed to do that in exchange for a minority share of hypothetical equity in a venture valued at exactly 0 dollars (at the moment).
You’re feeling awesome. You’ve got all that equity, yes, but you’re actually pumped about the way the project is going. You’ve been testing your API endpoints on Insomnia or Postman or some other API explorer, they’re performing as you want them to. You even have some iOS prototype written in Swift.
The iOS prototype is nothing fancy. A couple screens, very little styling. That’s not important though. What’s important is you managed to click a button to make a GET request from your test device (your older brother’s old iPhone 8, probably) and, like magic, the account information for one “Lorem Ipsum” a male naked mole rat from “Dolor sit amet” who is looking for female naked mole rats, popped up on one of Steve Jobs’ magic pieces of glass and metal.
You can’t believe it. You are one step closer, and quite well on your way, to enabling those little naked mole rats to start meeting their soulmates with just a fated swipe to the right. Imagine the possibilities!
And then it dawns on you.
You didn’t have to prove to your backend API that you were Lorem Ipsum, the naked mole rat in question. Neither did the app you installed on your brother’s iPhone 8. As a matter of fact, now that you’ve started thinking about it, you are fairly confident that you could get on any device in the world, as long as it was connected to the internet and it had a web browser, and query your hosted web API for pretty much any piece of information on your database.
You see, you designed a very thorough API that exposed pretty much every piece of data to CRUD (Create, Read, Update, Destroy) operations, in case you needed that data for a future feature. That would sure save you time. Your efforts to save yourself some work in the future have backfired.
You realize that any malicious naked mole rat with half a mind to steal the personal information that Lorem Ipsum has entrusted you with can do so by just firing up their favoritte web browser and navigating to:
https://api.nakedmoleratmeet.rat/v1/users/lorem-ipsum/super-sensitive-personal-data
They could even go a step further and install their favorite API explorer or use curl to make a PATCH or POST request from their terminal and change poor Lorem Ipsum’s personal information.
You want to avoid all of this. You
Do you have any opinion with regards to what I’ve discussed, or would you like to suggest a topic for my next blog post? Write it down in a comment below or write me on Twitter @technicalboy__ or e-mail. Don’t forget to share this blog post on Facebook, Twitter or LinkedIn using the buttons below. If you like the blog, recommend it to your friends!
Comments