| | 1 | = P9 – API Security (Input Validation, Rate Limiting, Auth Basics) = |
| | 2 | |
| | 3 | == Overview == |
| | 4 | In real systems, the database is accessed through an API (backend). Because of that, protecting the API is just as important as designing the database correctly. |
| | 5 | In Wedding Planner, endpoints such as RSVP updates and booking availability must be protected from invalid input and abuse. |
| | 6 | |
| | 7 | == Input validation == |
| | 8 | Input validation means checking all user input before using it in SQL queries or inserting it in the database. |
| | 9 | |
| | 10 | Why it matters: |
| | 11 | * prevents incorrect data from being stored |
| | 12 | * avoids broken constraints and invalid formats |
| | 13 | * reduces risk of attacks (SQL injection, malicious payload) |
| | 14 | |
| | 15 | Example connected to our project: |
| | 16 | When calling: |
| | 17 | {{{ |
| | 18 | /availability/venue?venue_id=1&date=2026-06-20&start=15:00&end=21:00 |
| | 19 | }}} |
| | 20 | |
| | 21 | The API should validate: |
| | 22 | * venue_id is numeric |
| | 23 | * date is valid YYYY-MM-DD |
| | 24 | * start/end are valid HH:MM |
| | 25 | * end_time > start_time |
| | 26 | |
| | 27 | Pseudo-code example: |
| | 28 | {{{ |
| | 29 | if not venue_id.isdigit(): return error("Invalid venue_id") |
| | 30 | if not valid_date(date): return error("Invalid date format") |
| | 31 | if end <= start: return error("Invalid interval") |
| | 32 | }}} |
| | 33 | |
| | 34 | == Rate limiting == |
| | 35 | Rate limiting protects the system from too many requests in a short time (spam / brute force). |
| | 36 | |
| | 37 | Why it matters in Wedding Planner: |
| | 38 | * availability checks can be called many times |
| | 39 | * attacker can overload API by repeatedly calling /availability/venue |
| | 40 | * database performance becomes worse under heavy traffic |
| | 41 | |
| | 42 | Example rule: |
| | 43 | * max 60 requests per minute per user/IP |
| | 44 | |
| | 45 | Pseudo-config (conceptual): |
| | 46 | {{{ |
| | 47 | limit_requests("/availability/venue", 60 per minute) |
| | 48 | }}} |
| | 49 | |
| | 50 | == Authentication basics == |
| | 51 | Authentication means verifying who the user is (login/session/token). |
| | 52 | |
| | 53 | Even though our P4 prototype is minimal and REST-based, in a real system: |
| | 54 | * only logged-in users should manage weddings |
| | 55 | * only wedding owner should edit guests / RSVP |
| | 56 | * users should not access other people’s weddings |
| | 57 | |
| | 58 | Example access rule (connected to our project): |
| | 59 | {{{ |
| | 60 | GET /weddings/1/guests |
| | 61 | }}} |
| | 62 | |
| | 63 | Should return data only if: |
| | 64 | * user is logged in |
| | 65 | * user owns wedding_id = 1 |
| | 66 | |
| | 67 | Pseudo-code: |
| | 68 | {{{ |
| | 69 | if not authenticated(): return 401 |
| | 70 | if wedding.user_id != current_user.id: return 403 |
| | 71 | }}} |
| | 72 | |
| | 73 | == Conclusion == |
| | 74 | API security protects the database by ensuring that only valid and allowed requests reach the data layer. |
| | 75 | For Wedding Planner, input validation is critical for correctness (dates/times/IDs), rate limiting protects frequent endpoints like availability checks, and authentication ensures users can only access their own weddings. |
| | 76 | These practices would be mandatory in a real production implementation of the system. |
