API Security and Best Practices v1.0-10
API Security and Best Practices v1.0-10
@app.route('/api/user/<user_id>', methods=['GET'])
def get_user(user_id):
user = db.get_user_by_id(user_id)
return jsonify(user)
@app.route('/api/login', methods=['POST'])
def login():
user = db.get_user_by_username(request.json['username'])
if user and bcrypt.checkpw(request.json['password'].encode('utf-8'),
user['password'].encode('utf-8')):
return jsonify({"token": generate_jwt_token(user['id'])})
return jsonify({"error": "Invalid credentials"}), 401
All user data, including sensitive fields like passwords and tokens, may be
exposed in the response.
@app.route('/api/search', methods=['GET'])
def search():
query = request.args.get('query')
return jsonify(db.search(query))
An attacker can flood the API with requests, overwhelming the server.
@app.route('/api/search', methods=['GET'])
@limiter.limit("10 per minute")
def search():
query = request.args.get('query')
return jsonify(db.search(query))
Any authenticated user can access the delete function without admin
verification.