I am building an API that returns data about companies Multiple applications wil

Question

I am building an API that returns data about companies Multiple applications will access the API, some of these applications will have access to one company, some to multiple companies. When a request is recieved for data, an ApplicationApiKey is also sent. I check if the ApiKey has access to the company data. THis works great for the applications that are allowed access to one company, however an ApplicationApiKey may have access to multiple companies.

A user from Company1 could log in to the application and send a request to https://myapi.com/ticketrequest?timestamp=20140808&ticket=123. The user could update to ticket parameter to a different number. This could be the ticket number of a different company that the Application is authorized to access but the logged in user is not. How do I stop users modifying this url to a ticket number of a different company?

These are my thoughts so far:

1. It is enough having my API accessible via SSL only
2. Ask the application developer to encrypt the parameters. https://myapi.com/ticketrequest?re1=ABNFOPO6KJGFD8JGFADIP, This seems feasible for GET requests but what about POSTs.
3. Not my problem, its up to the app developer (until something happens when it will be)
4. My whole process is wrong, it should be one APIKey per company (but this is not possible as applications may add and remove users from different companies)

Thanks for any replies

Explanation / Answer

Your problem is a problem of authorization.

IMHO your whole concept of authorizing an application is wrong. If you really care about data breach between companies you should implement authorization in the user level. Each user of the application should authenticate himself and you should have some mechanism of authorizing user's to access company data.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.