Posted on Jun 23 In today's digital landscape, where data breaches and cyber attacks have become increasingly prevalent, ensuring the Security of web applications and APIs is critical. While most developers are familiar with the concept of authentication, a crucial aspect that often gets overlooked or misunderstood is authorization. We'll explore a real-world scenario, identify common security risks, and discuss mitigation strategies. So let's get started!Before we jump into the specifics, let's clarify the difference between authorization and authentication. Authorization is the process of determining what resources or functionalities a user can access within an application. It revolves around identifying and granting appropriate permissions. On the other hand, authentication involves verifying the identity of a user and ensuring that they are who they claim to be. So it makes sense that you wouldn't want to give someone access to things before you know who they are. Let's examine a practical example to understand this better. Consider an e-commerce store built on a Ruby on Rails framework, a fork of the Spree e-commerce platform.When looking at a sequence diagram of cart interaction you’ll notice that the authentication step is missing when accessing the cart functionality. Clicking on the cart with an item already added to it does not prompt the user to sign in. While this may be by design because the cart does not contain any personally identifiable information, the very next step in the purchase process does.The application asks for a shipping address. In my opinion, a good rule of thumb is that any time we are capturing personally identifiable information once the information has been submitted the application should be authenticating that user. Any time that type of information is presented a user must be authenticated and authorized before viewing or updating. It can be challenging and time-consuming to uncover and address these security concerns. Often times software teams look to tools or audits to provide us with a direction on what is causing the issue, which can be complex and require hours of investigation. The Appmap runtime analysis tool can give us a comprehensive look at the problem, what is causing it, and where it comes from in a matter of minutes. AppMap provides insights into how our applications behave at runtime, allowing us to analyze their execution flows and detect potential issues. With AppMap, we can identify and potentially fix security vulnerabilities, such as authorization-before-authentication problems.Analyzing the code using AppMap, we discover that the violation of authorization-before-authentication occurs in multiple instances within the application. Specifically, we observe the use of CanCan, a library for authorization, which performs authorization before any authentication check.Inspecting the trace view and sequence diagram in AppMap, we trace the flow of events leading to the violation. We find that the "get cart" process triggers the authorization step without first authenticating the user. This type of behavior could allow unauthenticated users to access restricted resources.As we explore the dependency map, we notice that the authorization call is sent to the Spree Order controller, which resides outside of our application's codebase. This presents a challenge since we lack direct control over Spree's authentication process.To address this security risk, we need to modify the order of operations and ensure that authentication occurs before authorization. In this specific case, the README of the application states that every request is assumed to come from an admin user, which is a major red flag. To mitigate this, we can implement the following strategies:By adopting these strategies, you can strengthen the security of your web APIs and prevent unauthorized access to sensitive resources. It is crucial to prioritize security throughout the development lifecycle to avoid compromising user data and maintain the trust of our users.Authorization before authentication is a vital security principle that ensures users are properly identified and granted access to resources. By leveraging tools like AppMap and following best practices, we can proactively identify and address security vulnerabilities early on, ultimately building more secure and reliable web applications.Thank you for joining me in this exploration of authorization before authentication in web API security. Stay tuned for more articles, and if you have any questions or suggestions, feel free to leave a comment below!   Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse TIM - May 28 Roberson Miguel - Jun 20 Mursal Furqan Kumbhar - Jun 20 Kelechi Kizito Ugwu - Jun 10 AppMap delivers personal observability and runtime code quality analysis platform built for developers in the code editor. We are shifting the concept of runtime analysis "all the way left" to code creation. Once suspended, appmap will not be able to comment or publish posts until their suspension is removed. Once unsuspended, appmap will be able to comment and publish posts again. Once unpublished, all posts by appmap will become hidden and only accessible to themselves. If appmap is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to Garrett Hamelin. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag appmap: appmap consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging appmap will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.