System Information
- Strapi Version: 3.6.7
- Operating System: Debian
- Database: MySQL Azure Database
- Frontend: NextJS static website (next export)
I have a question about security using the GraphQL plugin, and about how Strapi API endpoints work in general. It stems from my lack of experience and may seem obvious to some of you, so bear with me please.
Say I want my users to be able to like posts made by others. My user naturally has Authenticated role, so in Strapi I give that role access to the default update permission in Posts to achive this.
Then in my NextJS soon to become serverless front end I put this code :
const QUERY = gql`
mutation AddPostLike($postID: ID!, $userID: ID!) {
updatePost(
input: { where: { id: $postID }, data: { liker: $userID } }
) {
post {
id
}
}
}`;
useMutation(QUERY);
I then pass $userID to this function depending on current connected user in my user context. This works. But here comes the part that I’m not sure about… If I understand correctly, any Authenticated user has now the ability to update any post through the API.
Since everything is client side, can the user potentially extract his own token, and use it to fire whatever update query he wants outisde of what I defined in my code?
If he can’t for some reason, can he instead hijack this exact query by modifing the$userID varriable (in browser memory? since it’s stored client side) to an id other than his own, for example?
Is all of this magically prevented by GraphQL/Strapi API/something else…? If it isn’t, where can I learn more about the correct way of doing this?
It has been bugging me for a while now, I’d appreciate any help filling this gap in my understanding of how the API works!
