REST Easy — API Security Done Right

Video in TIB AV-Portal: REST Easy — API Security Done Right

Formal Metadata

REST Easy — API Security Done Right
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Why REST More and more of our web development is shifting to frontend web frameworks like Angular, Ember, and Backbone. And this is great! These frameworks can provide an amazing, responsive, beautiful experience to our users — and the only price we pay is having to write JavaScript. Well, having to write JavaScript and having to maintain a seriously robust, battle-hardened API for the frontend framework to talk to. State of REST Django REST Framework has clearly broken away with a ton of momentum, and with good reason. It's a solid framework, and the tools it provides right out of the box — serialization, validation, nested relationships — are splendid. It even provides basic authentication and authorization baked right in, which works great in the very simple cases. However, when you start encountering slightly more complicated API permission setups, things start to get messy. REST Security There's a big tectonic shift when trading in your traditional request-response-Django site for a frontend-framework-API-Django site. Your application logic used to reside almost entirely server-side, but now it's split — half server-side, half browser-side. And the trick with browser-side code is it runs in a completely untrusted environment. So we're faced with a much more complicated security situation to batten down. You need different authentication strategies: session auth, JWT token auth, API keys, signed URLs, and combinations thereof. You have different permission strategies: table-level, row-level, column-level, and combinations thereof. It gets real complicated. REST Easy I'll show how to use the tools at our disposal — Django groups and permissions, REST Frameworks's permission classes, third-party libraries — to cobble together a passable security setup for your API. You'll get plenty of code samples, detailing the kinds of setups we put together for our site and the custom tooling we built to do it. Next-Level REST We'll end by talking about how our tools can serve us better in the future. If Django is going to have a strong place in the future of the web, we need strong tooling for building APIs. This is how we'll get there.
File Transfer Protocol Authentication Strategy game State of matter Authorization Numbering scheme Bit Representational state transfer Information security Demoscene
Meeting/Interview Web-Designer
Scripting language Addition Mobile app Server (computing) Group action Arm Information Connectivity (graph theory) Source code Digital electronics Data storage device Bit Web browser Cartesian coordinate system Meeting/Interview Bus (computing) Electronic visual display Energy level Right angle Software framework Game theory Form (programming)
Point (geometry) Context awareness Mobile app Server (computing) Serial port Computer file State of matter Code 1 (number) Digital electronics Web browser Order of magnitude Authorization Representation (politics) Software framework Diagram Endliche Modelltheorie Computer-assisted translation Information security Authentication Graph (mathematics) Gender Data storage device Bit Line (geometry) Representational state transfer Uniform resource locator Query language Personal digital assistant Web-Designer Right angle Quicksort Row (database)
Token ring Combinational logic Web 2.0 Facebook Mechanism design Mathematics Meeting/Interview Different (Kate Ryan album) Operator (mathematics) Energy level Endliche Modelltheorie Computer-assisted translation Social class Authentication Theory of relativity Key (cryptography) Gender Bit Curvature Process (computing) Cube Order (biology) Website Right angle Quicksort
Authentication Complex (psychology) Functional (mathematics) View (database) Patch (Unix) Set (mathematics) Bit Representational state transfer Unit testing Cartesian coordinate system Power (physics) Facebook Meeting/Interview Different (Kate Ryan album) Query language Energy level Software framework Right angle Object (grammar) Social class
Complex (psychology) Functional (mathematics) Open source View (database) Set (mathematics) Field (computer science) Software bug Subset Product (business) Revision control Meeting/Interview Flag Data structure Condition number Social class Predictability Installation art Constructor (object-oriented programming) Knot Representational state transfer Personal digital assistant Factory (trading post) Right angle Quicksort Object (grammar)
Estimator Exterior algebra Meeting/Interview Computer configuration Different (Kate Ryan album) Patch (Unix) Energy level Sound effect Set (mathematics) Right angle Computer-assisted translation Social class
Point (geometry) Open source Code View (database) Real number Numbering scheme Field (computer science) Bit rate Meeting/Interview Different (Kate Ryan album) Computer configuration Energy level Computer-assisted translation Social class Authentication Default (computer science) Theory of relativity Machine code Representational state transfer Query language Mixed reality Right angle Musical ensemble Quicksort Object (grammar)
Covering space Point (geometry) Default (computer science) Momentum Code Multiplication sign 1 (number) Integrated development environment Personal digital assistant Quicksort Computer-assisted translation Information security Pole (complex analysis) Vulnerability (computing)
what but the the and of the and the and and the and the and that and check I I am being so thank you so much for being here for the for listening and I was talking about uh rest API is here and specifically as security or FTP Eisernen can more specifically how authorization authentication within idea REST API and so that's what you're interested in and this is a little bit of a knowledge of of Django rest from work that's going to be helpful but hopefully if you haven't got a chance to play with it I'll give you a very quick primer that that hopefully will candidates stuff and so what would you today the I will talk about the last 1 is important right now while rest API is the a big deal where my talking about them and why they changed a little bit there their scope and cause all of these mystery as security considerations will talk a little bit about what the state of rest is today so if you're writing an agenda out and you want a REST API what you do and and we'll get into security a little bit a quick overview kind of the considerations around security authorization but when you're doing a REST API I will talk about some of the strategies that that we come up with to write that clear maintainable have permission schemes for your API the the another example will be about what I hope happens tomorrow and and I and I think our tooling is not quite there yet no I talk about how we might be able to get there eyes we can write really clear scene easy I API permission I it's with 3rd why we talking about rats
I'm in the simple answer it is our
leaders and angular backbone and and so on and has just exploded in popularity in the last couple years and you know and there's there's there's all this growth the really taking over a big chunk of what we do is well you know as web developers and and so you know the more
nuanced senses that i is I wanna
talk a little bit about the the the pieces of your app what's running I was running where where these new JavaScript frameworks come into play and how that changes the game of the so that you can break down your application the 3 basic components very roughly a display logic right which is happening traditionally on the browser app logic which is kind of what's running and then data source i'm and the traditional way that you know historically has ever been broking broken out is this logic happens on the front of the bus right before forward and then your application logic and that is stores all that yeah our lives on the server the back I'm ends you know historically we use additional CSS and dollars script to talk that to the browser the browser post some some each form that back to the server and I worked really well until we want to do more things in the right right and we came up with this Ajax thing we saw a few on that in and and that works fairly well for a lot of things growing group and we started doing more and more of the application logic on the front in the browser right arm and this is really you know with with angular backbone and so on uh that's where this really kind of came into its own is huge portions of what was that what your you know your app logic which traditionally lived on a server is now happening in the browser right and and it turned out that at logic needed to say a little closer to your data right and so we came up with or you know that there are 4 allow that I we started using rostrally heavily to shovel that information back and forth and at a lower level I between the front and the back and because you're doing all this app logic the yeah so
I let's start talking about how we do that today and the state of rest today and is just bull friends which is you know there take it for what it is but I the blue line there is generous framework and the other 2 lines are piston and tasty by hand I think there's a couple of interesting things to note about this graph 1 is data reference framework seems to be the that clear winner of this crew at this point and it's really only happened the last couple years and you know I think there's a huge community around is now and and you know there's a lot of tooling around which is great and the other thing to note about this graph is just the magnitude in general right all 3 combined it's really exploded in the last year 2 and so this is this is assumed to be the says stuff's pretty important and growing port and so I give you a very brief overview watching arrest framework that gives you just you get the ecosystem a little bit at this serializes which help you translate your jego models your data but into a representation we sent down over the wire so J Sonics and all that sort of thing and to be reinflated on the way back and this views the which can a connect up as the a query set so you data with that serializes and then you connect that to an point you can serve In this case cats at that at a given URL for your API and it comes with a bunch of authentication stuff so comes with a bunch of built-in ones there it's pluggable seeking down here you can pick install some other ones I but there's really no pretty straightforward framework for an authentication Turicchia and then permissioning and will will dive a little bit deeper into those 2 are the rest of this this talk I yeah goal so let's talk about security authorization authentication in In the context of this recipe the I and so you remember this
diagram where that act like you know the file and the browser was swallowing up your app logic at is another important way to think about this I think which is the a lot of your app logic is now running in this insecure browser they he think about it but we've been able to rely on the server being you know presumably secure right that code there you know you wrote it you know what's wrong the browser not so much right in the browser the anyone can do anything nefarious aging and you know massive with whatever they want and as soon as we started doing more of the app logic in the browser beginning close to the data store opened up a lot of new security issues that I think that we you know we don't have a lot of practice working with as as web developers working in in Django more in the historically the way genders works of this new concepts sort record had around here and new security issues to be aware of
right only go quick overview of the kinds of authentication just give you a sense of like what's involved here right why is this such a big problem it sort of an n squared and huge problem exists so much going on and of authentication right there's a lot of different ways to authenticate many these are built in some of them you can use that systolic and mentioned you get is 3 basic after session on token off of off to some web token off there's there's a lot of different mechanisms that you can install out to do authentication and the key here is probably most of these web apps or not using just 1 right so but you know you might use gender session off as can remain authentication format up but then also if you do a passive receptors a token then that's a different kind of authentication and maybe want users to sign up with Facebook and that's another kind of authentication and suddenly you got all these different levels of authentication the you have to deal with a cross reference with all the different kinds of permissions you care about that and there's a lot of these as well so you can obtain a low relations right can you access the cats or not and there's row-level permissions right is this your cat was the someone else's cat and what that means for your permissions others callable permission so as much as we love cats stock about you know the user model right you might want your users feel to set their name right change their name in in your website but you probably don't want them to be the set the superuser flat right i'm and so so that this column of operations where you have to say these kinds users with these kinds of authentications should be able to touch these uh these columns not these calls on and then issue Peever provisions which roughly analogous to read write and that sort of thing we readily and you know and so you was saying all these things combine and you start to get this and square and cube problem the other other factors you need to take into account where there are a lot of different combinations a lot of different situations that you need to account for it gets messy really really quickly FIL and so this up a little bit about how we do a good job of this today right what tools we have at our disposal today I had to to you know put some order into this and and make it maintainable make it saying so the
1st and and really the biggest concepts that I want you all the way to understand and take back and implement is small composable permissions and take those permission classes in vigorous for work and make them as small and focused as possible the and you'll see later that we're gonna use uh we used were going to use the tool to kind composed those into more complicated provisions so you might
have some ACP were permissions right so we can create 1 called is posts as subclass the permission class and then has permission this function that says you know does this person have his permission really just checks is this supposed that's it right on its own pretty much useless probably but when we start composing it with other things you'll see the power of this and and then so you might have 1 4 is patch and you might have 1 for all the HTTP verbs right and then these become tools in your tool chest and you can apply to more complex permissioning problems yeah but let's look at it is steps you might have is authenticated permission right i'm and this 1 the has permission and just checked so far you authenticated they got simple easy to unit test easy to think about is the reason about them and they'll come together in really powerful ways a little later and you might have 1 4 abuses the checks the superuser 5 and and then in all the other authentication traits you'd go on and on and on so you know if you have Facebook authentication you have some of these for fixed if you have that you all took it as nothing authenticator you have 1 of these for that but I'm just really simple checks I give you do the same thing potentially for ownership right are you the owner of this it's an and there's a little bit of a caveat here the way the GenGO rest framework is set up it's really hard to do this check in the has permission like you would what rights of Alisa's level permissions getting a bunch of its for example and you really end up having to implement that in the get query set method on the view on the the set of the which is which is 1 of the things that were to talk about hopefully making better and in the future but the city has object permission on which where you can have defined does this user have permission to touch this object and is pretty straightforward right uh are you is this request users the owner of this object they go and again we'll do this for all the different companies in application that you care about yeah
and so to put altogether we a couple more power tools the
1st is of field restriction helper and I'll walk you through this uh but basically what we walk out of this is you know I remember I mentioned I if you want your users to be able to set their name on there we don't want them to be the superuser flight but this is how are going to accomplish that sort of thing we're going to it's basically ends up being a the class constructor across factory I capitalize this may look like last I think that looks nice are in the final product but technically is a function if that bugs you when you do this you can you can go ahead name at lower case and we are so you would have a function that takes a set of fields right so like the name field but not the super field and it was good do is going to construct that permission class for you on the on it's going to create a set out of the fields saying that for later and then that permission class when it I get asked is the use of mission it's just in the same way all the fields that you're talking about this request are they a strict subset of the allowable fields that this was created with right so you can say you know the passing you you do is fields you pass in just the name field than anyone who ever tries to touch the superuser flag will get an by this prediction there are many do essentially the same thing on the has object permission and then you return the provision class also so now we can restrict the columns that your access and this is a is a tool that you know as you can see this is a basic version of it it's relatively straightforward to put together yourself but is also something that I you know we've written would like to open source so before we do that soon for you guys you know I would love more batteries to be just out there ready to use and the last power tool we need is this thing called rest conditions so you can install rest conditions and this is really the crux of everything right but it gives you these composers these anions and always knots they used to put these pieces together into more complicated permission spread so you could combine 2 things with an aura and you could describe a permission as if you have Hooperman permanent not if you have bad then you have this permission right and and so let me show you an example of how we build the relatively
complex permission structure out of these tiny pieces are in distress conditions the the so the and we've got a view
said here right where interviews and cats and it's going to have a lot of other stuff if you've written JRS estimate stuff this'll having of these these settler lots of other things to find in it but all we care about is this permission classes out where we're defining it as a base as this for this is apparently guilt and end up repeating again and again and the base is just 14 together a bunch of different sets of permissions and you know different kinds of people have different kinds of access and that's what you describing him so for example this 1st 1 is if you if it's a get header options of this effect in effectively read-only I and you're an authenticated user figured it out all if it's a poster patch and you're the owner of the cat here only touching the hearer grumpiness level they did not or if you're super you you just do whatever you want right and so you can see this is you know it's not shitty poorly short it's not a whole really easy but it's a lot less messy a lot less complicated than the alternative which is writing all of those things again and again for every user right for every set of permissions so these kinds of composable things and you know it makes it much more readable much more maintainable i'd have these things as kind composable based permission classes I actually have a little bit about as the world of tomorrow right how can the world be better I if we were to and if we were to build some tooling around this and so
let let's 1st give a quick overview of the problems that existed the so there are a
few a few things things don't like us even with even with these kind of small composable permissions 1 is everything's endpoint mixed right we defined this on the music class right which roughly analogous to an end point the cats and point of your API right I think the this is the the easier way to reason about this stuff is having the role that straight role-based permissions and so if you are a super user is realistic permissions if you're a cat usual submissions and those all get combined but they get find at a role-based level right much easier is that but only in the places is this code is still scattered right you saw we've got an has permission we've got has object permission but some of it had to going get query said on and it's still scattered throughout every single view said definition all of those little composable permissions it's in lots of different places I'm and centralizing all the permission codes in 1 common place I think would help a lot in kind of reasoning about it right it's all the rate that I and as I mentioned batteries on entirely included here are a lot of the authentication schemes are I the but you know that that is field thing and there are a lot of other pieces of this that we've had to write internally or working open-source those but in the meantime right these batteries are not really included I and at the default is confusing right I do you default have relation or not have permission right that the more secure option is default that you don't have permission of but the way this is working it's sort of confused in some some ways it's 1 in some ways it's the other anything could be helpful to just standardized no 1 has any permissions unless you explicitly 6 right so at I want to he's you know imagine imagine what this might
look like this is a real number this code has been written underneath the you know none of the code that would the actually run this has been written but I wanna give an example of maybe what this might look like right I just Kennedy's the idea and hopefully anyone here is interested in assigning to be spending the rest the week packing on this and trying to get something together if you're interested in helping out of love you help of love to make this as a better you know a better situation for everybody but this is
sort of a of V 1 idea of what the world could look like thank you a role-based commission so anonymous user here but you're telling me is an active for this request but is this role active and then you justify the permissions that right so in this case for the iPad cat point you can list or a tree but because its default no permissions you can't post you can catch you can delete I'm in this would go on of course for a for other commissions and you go on and define other roles as well so there's a lot of new ones that isn't included here there's a lot and it still needs to be figured out cover way this will be implemented on but I think making this this whole ecosystem are easier to reason about easier to maintain is gonna plug up some serious security holes and no you know we even with these composable permissions we've had security poles and I wanna say people from that and I think that's you know probably are all right we wrote the code of a partly the fault of the tools right the tools weren't helping us right Securicor so that's what I want France and and is that if you are interested in helping the environment I'm so make so much as just have to do a quick plug to choose as they pay for to here so if you know anyone it's impetus go who I want to better lunches it work let us know and yeah that's it thank so much that charmed and that would be at the time of the blue and the the the the the the the mn