How to Limit REST API to User-Specific Content

Question

I have a fairly simple API setup on a MEAN stack using PassportJS. I have no problems setting up my routes with no security (grabbing general data) and with user authentication

Answer 1

It seems that you are missing an api check on the userId

for e.g. you have a route like /api/:userId/data/:dataId and you would like to ensure that only users who are allowed to access this data item can do so. Then what you would need to do is check that the userId provided in your authentication token is the same as the userId in the api route!

Answer 2

You already have authentication put in place, so what you now need to implement is authorization.

Authentication: Validating an identity as true or false—generally used to verify that a user is who he/she says they are. Most commonly achieved through a username/password combination, but the same principle applies to other forms of authentication like secret questions, secret links, bio-metric identification, etc.

Authorization Specifying which resources a user (with a given identity) should be allowed to access.

(source: Auth0 Identity Glossary)

If your authentication system is designed correctly the access token presented in order to be granted initial access to /api/users/:id endpoint will allow you to know which user is calling your application so now what you need to do is implement the business rules that dictate which data can the user access on each individual endpoint.

For the /api/users/:id case, if you want users to only be allowed to access their own data, the rule might be as simple as checking that the user identifier requested on the API route matches the user identifier associated with the access token. Given that the access token needs to be implemented in such way that it cannot be tampered, you guarantee that only the correct user is granted access to the data.