Discussions

Expand all | Collapse all

API Security

  • 1.  API Security

    Posted 01-10-2020 13:06
    Hi All, 

    I'm working with a development team and want to limit their access to sensitive data within our application.  The developer will require making extensive API calls.  I'm aware that this level of access can be used to gain access to basically all parts of an application.

    The proposed work around is to create a duplicate application, without sensitive data, where they can conduct most of their work prior to going live.  The developer would be provided API access to this new application only.  Is this possible?

    I've read the documentation here: https://help.quickbase.com/api-guide/authentication_and_secure_access.html.
    It appears to indicate that if the user is authenticating through a 'User Token' this can be made app specific and the develop will not be able to access other applications within the domain.  If the developer is authenticating through a 'Ticket' then that ticket can be used to access the entire domain.  Therefore, the developer should be given access only to the duplicate application and should authenticate through a 'User Token' they create.   Is this correct?

    If anyone has experience with this I would love any feedback you can offer.  

    Thanks!
    Jake



    ------------------------------
    Jake R
    ------------------------------


  • 2.  RE: API Security

    Posted 01-10-2020 13:08
    When a User Token is set up, the owner of the Token can select which apps it will be valid for. Initially it will not be valid for any apps.

    ------------------------------
    Mark Shnier (YQC)
    Quick Base Solution Provider
    Your Quick Base Coach
    http://QuickBaseCoach.com
    mark.shnier@gmail.com
    ------------------------------



  • 3.  RE: API Security

    Posted 01-10-2020 13:18

    Hi Mark, 

    True.  And that does make is seem like a good path to go down.  My question is more to confirm this statement:  

    "If I give a developer access to an app, where they can create a user token, they can apply that user token only to apps which they have been given access to.  Therefore, they will not be able to use any API method to access the other applications in our domain"

    If the statement isn't true, is there another way to give a developer API access to one app, while restricting their access from any other apps on the domain.

    Thanks,
    Jake



    ------------------------------
    Jake R
    ------------------------------



  • 4.  RE: API Security

    Posted 01-10-2020 13:22
    Yes, when a user creates an app token, that app token becomes them, in terms of their permissions. 

    So if they were a viewer to an app, then anyone using their token would also just be a viewer, and if they had no access to an app then neither would their token.  I have not tested if its possible to assign a User Token to an App where you have no access (ie I doubt that app would even come up on a list), but regardless if the userid does not have access to an app, then neither will be Token.  And if the User later loses their access to an app, then so will their Token lose access.

    ------------------------------
    Mark Shnier (YQC)
    Quick Base Solution Provider
    Your Quick Base Coach
    http://QuickBaseCoach.com
    mark.shnier@gmail.com
    ------------------------------



  • 5.  RE: API Security

    Posted 01-10-2020 13:35
    Thanks Mark.  You are correct that if there is no access to the an application it will not appear in the list.  Appreciate the feedback.  That makes me more confident about securing our apps with this method.

    ------------------------------
    Jake R
    ------------------------------