Changes between Version 2 and Version 3 of P9APISecurity

Timestamp:

01/13/26 20:03:41 (7 days ago)

Author:

193284

Comment:

--

P9APISecurity

@@ -2 +2 @@
 
 === Overview ===
-In a real Wedding Planner web application, the API is the main entry point for all user actions (view weddings, RSVP, guest management, availability checks).
-If API endpoints are not protected, attackers can abuse them to read private data, spam requests, or modify bookings.
+In a real Wedding Planner web application, the REST API is the main entry point for all actions (view weddings, manage guests, RSVP, bookings, availability checks).
+If API endpoints are not protected, malicious users can read private data, spam requests, or attempt to modify reservations.
 
-Even though our P4 prototype is minimal (Flask REST + SQLite), the same security principles would apply in a production version.
+Even though our P4 prototype is minimal (Flask REST + SQLite), the same security principles apply in a production environment.
 
 === Main risks for our API ===
-If security is missing, possible problems include:
- * Unauthorized access to wedding data (guests, RSVPs, bookings)
- * Fake RSVPs / attendance spam
- * Availability endpoint abuse (hundreds of calls per second)
+If API security is missing, common risks include:
+ * Unauthorized access to private wedding data (guests, RSVP responses, attendance info)
+ * Fake RSVP/attendance spam (polluting the database)
+ * Endpoint abuse (especially availability checks)
  * SQL injection attempts through query parameters
 
+In Wedding Planner, the most sensitive resources are:
+ * Guest lists (Guest table)
+ * RSVP responses (Event_RSVP table)
+ * Bookings (Venue_booking, Band_booking, Photographer_booking)
+
 === Input validation (most important rule) ===
-Input validation means checking every value that comes from the user before using it.
-In our system, this applies especially to parameters such as:
- * wedding_id, event_id, guest_id (must be integer)
- * date and time intervals for bookings (must be valid and logical)
- * RSVP status (must be only allowed values)
+Input validation means checking every parameter received from the user before using it in business logic or database queries.
+This prevents invalid requests, inconsistent data, and accidental crashes.
 
-Example validation rules in our project:
- * wedding_id must be a positive integer
- * end_time must be greater than start_time
- * RSVP status must be one of: accepted / declined / pending
+In our project, validation is especially important for:
+ * wedding_id, event_id, guest_id (must be positive integers)
+ * date, start_time, end_time (must be valid formats)
+ * RSVP status (must be an allowed value)
+
+Example validation rules:
+ * wedding_id > 0
+ * end_time > start_time
+ * RSVP status ∈ {accepted, declined, pending}
 
 Example (pseudo-code):
 {{{
 if wedding_id <= 0:
-    return error "Invalid wedding_id"
+    return 400 "Invalid wedding_id"
 
 if end_time <= start_time:
-    return error "Invalid time interval"
+    return 400 "Invalid time interval"
 }}}
 
 Why this matters:
-Without validation, invalid input can crash the API or create inconsistent data (wrong bookings, duplicates, broken rows).
+Without validation, we can store broken bookings (wrong times) or invalid RSVP values that affect attendance logic.
 
-=== Parameterized queries (protection from SQL injection) ===
-SQL injection happens when attacker input becomes part of the SQL query.
-The safe way is to use parameterized queries, never string concatenation.
+=== Parameterized queries (SQL injection prevention) ===
+SQL injection happens when untrusted input becomes part of an SQL query.
+The correct protection is to always use parameterized queries (never string concatenation).
 
 Unsafe example:
@@ -47 +54 @@
 }}}
 
-Safe example:
+Safe example (conceptual):
 {{{
-SELECT * FROM wedding WHERE wedding_id = %s;
+SELECT * FROM wedding WHERE wedding_id = ?;
 }}}
 
-In Wedding Planner this is important for endpoints like:
+This is critical for endpoints like:
  * /weddings/<wedding_id>/events
  * /weddings/<wedding_id>/guests
- * /availability/venue?venue_id=...&date=...
+ * /availability/venue?venue_id=...&date=...&start=...&end=...
 
-=== Basic authentication & authorization ===
-In a full production application, not everyone should access everything.
+If these endpoints use unsafe query building, attackers can try inputs like:
+{{{
+wedding_id = "1 OR 1=1"
+}}}
+which can expose data from multiple weddings.
+
+=== Authentication & Authorization (access control basics) ===
+In a full system, not every user should have access to all weddings.
 
 Authentication = who is the user?
@@ -64 +77 @@
 
 Example rules in Wedding Planner:
- * Only the wedding owner (User) can view/edit that wedding
- * Guests can only RSVP via invitation link (limited access)
- * Admin can manage venue data
+ * Only the owner of the wedding (User.user_id) can view/edit that wedding
+ * Guests can only RSVP for events they are invited to
+ * Only wedding owner can view full guest list
 
-Example check (conceptual):
+Example authorization check (pseudo-code):
 {{{
 if current_user.user_id != wedding.user_id:
@@ -74 +87 @@
 }}}
 
-This prevents a user from accessing another user's wedding details just by changing the wedding_id in the URL.
+This prevents the common issue where a user changes the wedding_id in the URL to access another person’s data.
 
-=== Rate limiting (prevent abuse) ===
-Rate limiting limits the number of requests per user/IP per minute.
-This is crucial for endpoints that can be abused.
+=== Rate limiting (prevent endpoint abuse) ===
+Rate limiting controls the number of requests per user/IP per time window.
+This prevents spam, brute-force attempts, and performance degradation.
 
-In our system the most "abusable" endpoint is:
+In Wedding Planner, the most “abusable” endpoint is:
  * /availability/venue
 
 Attack scenario:
-Someone sends thousands of availability checks -> server slows down or crashes.
+An attacker sends thousands of availability checks per minute which may overload the server.
 
 Example policy:
- * max 60 requests per minute per IP for /availability/venue
+ * 60 requests/minute per IP for /availability/venue
+ * 30 requests/minute for RSVP-related endpoints
 
-This keeps the API stable even under heavy traffic.
+This keeps the system responsive and stable under heavy traffic.
 
-=== How this connects to our project ===
-For Wedding Planner, API security should focus on:
- * Validating booking parameters (date/time overlap)
- * Protecting RSVP and attendance updates from spam
- * Ensuring only wedding owners can view guest lists
- * Preventing abuse of availability checks with rate limiting
+=== Practical examples connected to Wedding Planner ===
+The following protections directly apply to our system:
+ * Validate time interval and date format for venue bookings
+ * Reject RSVP status outside allowed values
+ * Limit repeated calls to availability endpoint
+ * Ensure wedding owner can access guest list and attendance overview
+
+Example: protect guest list endpoint
+ * /weddings/<wedding_id>/guests
+Rules:
+ * wedding_id must be valid integer
+ * current_user must be wedding owner
+ * SQL query must be parameterized
 
 === Conclusion ===
-API security is essential even for a minimal prototype, because it demonstrates how the system would behave in real-world conditions.
-For our Wedding Planner application, the most important protections are input validation, parameterized queries, basic access control, and rate limiting.
-These practices prevent common attacks (SQL injection, data leaks, endpoint abuse) and ensure the system remains stable and trustworthy.
+API security is essential because it protects the database and prevents abuse of the core system functionalities.
+For the Wedding Planner system, the most important measures are strict input validation, parameterized queries, access control (auth/authorization), and rate limiting.
+These practices prevent the most common attacks (SQL injection, data leaks, spam) and ensure the application remains stable and trustworthy.