java - How to avoid abusive use of REST endpoint -


how can avoid abusive use of rest api? example, have website actions earn bunch of points stored within user account. technically, when ever action performed, call rest endpoint add points user account. action happens within website, therefore there no way check if action has happend within backend.

how can avoid uses javascript debugger find call , triggers directly in order cheat... there principle avoid such kind of abusive use?

edit: here example narrow down question: e.g. have waiting queue can decrease waiting period tweeting page. twitter sdk has callback method fires when user send tweet. when happens, backend called, e.g. api.somedomain.net/user/xyz123?hastweeted=1 or similar.

so question is, how protect last step (call api.somedomain.net), lookup rest url , trigger call manually, without creating tweet.

the answer simple: don't use ui definitive state users. stack overflow great example of this. when voted question, ui updated after rest call backend completed no errors. should waiting each rest call finish before updating state.

in event tries "hack" web page using javascript console, same logic should apply. rest service won't know whence request coming, logic should prevent malicious use, either intentional or unintentional.

edit:

the solution example problem have single rest call tweeting page makes actual rest call twitter from server side code. hastweeted count incremented when complete , successful call twitter api has finished. still leaves door open malicious users blast out tweets, twitter has in place prevent that.


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more