Answer the question
In order to leave comments, you need to log in
Postman and creating admin accounts for third-party sites. How to protect yourself?
I am creating an authorization system for the site.
By default, I assign a role (user) to each user.
There is an admin role.
There is a form that accepts an email and a password, respectively, the role by default USER
There is also a POSTMAN service, on which you can send a request not from a form, but directly JSON, that is, specify the role.
How to protect your project from this method of creating admin accounts?
Answer the question
In order to leave comments, you need to log in
If you are using the correct JWT, then the role should be stored in it. The token is protected by a signature and substituting an arbitrary value into it will not work.
When logging in with a username/password, the role is taken from the database, it is not necessary to pass it in the form.
When a new user is created by the admin, the role of the sender of the request is checked on the back (in the token).
When registering a new user on their own, the "user" role is forcibly assigned and only the current admin can raise it.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question