Re: HATEOAS on demand from Owen Rubel on 2025-01-15 (ietf-http-wg@w3.org from January to March 2025)

From: Owen Rubel <orubel@gmail.com>
Date: Wed, 15 Jan 2025 07:45:12 -0800
To: Asbjørn Ulsberg <asbjorn@ulsberg.no>
Cc: Rahul Gupta <cxres@protonmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "media-types@ietf.org" <media-types@ietf.org>
Message-ID: <CAAzevgk+WufQzNve1T83_MuzS6DUY1AKD=yze79f=wTnqTRNjQ@mail.gmail.com>

Well thats the issue.

A link can be accessed by different ROLES; an ADMIN ROLE can access the
same endpoint as a USER ROLE but require sending and receiving entirely
different data (see RBAC/ABAC)

Thus hardcoding is NOT a solution for secure endpoints. They have to be
created dynamically to take this into consideration.

And if being done dynamically, you may as well have it on demand.

Owen Rubel
orubel@gmail.com


On Wed, Jan 15, 2025 at 1:52 AM Asbjørn Ulsberg <asbjorn@ulsberg.no> wrote:

> On 15 Jan 2025, at 03:20, Owen Rubel <orubel@gmail.com> wrote:
>
> > so basically what I am saying is that since you hardcode the links for
> HATEOAS, they violate security like RBAC which defines what ROLES can
> access which endpoints.
>
> If you consider the existence and visibility of a particular link in a
> response message a security risk (although that sounds a bit like security
> by obscurity to me), or performance overhead, then just exclude the link
> from the response.
>
> The response can be tailored to each authorised client based on RBAC, ABAC
> and any other configuration the origin server may consider applicable to
> the given request.
>
> --
> Asbjørn Ulsberg.         -=|=-         asbjorn@ulsberg.no
> «He's a loathsome offensive brute, yet I can't look away»

Received on Wednesday, 15 January 2025 15:45:28 UTC