Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Authorizing and Monitoring User Activities

2:33 with Alena Holligan and Jared Smith

After you authenticate a user, you want to make sure that you don’t allow them to perform actions on your site that they are not allowed to do, or that could negatively impact your service or other users. For this reason, you should always implement proper access control checks and authorize all user actions.

Documentation

  • 0:00

    Authentication is only one part of the story.

  • 0:03

    You also need to be sure your users are allowed to perform certain actions.

  • 0:08

    This is known as authorization, and

  • 0:10

    it's mainly about managing permissions for users.

  • 0:14

    Why do you need to authorize a user by specifying

  • 0:17

    every action they are allowed to perform?

  • 0:20

    In this simple case, you could give a user the ability to access your admin panel and

  • 0:24

    steal credentials.

  • 0:26

    Even worse,

  • 0:27

    a user could gain access to the underlying servers on which you run your software.

  • 0:32

    This would allow them to steal even more data or use the servers in a botnet.

  • 0:37

    The malicious possibilities are endless, and

  • 0:39

    it's your job as an informed developer to protect your users and your services.

  • 0:46

    When authorizing users to perform actions, you should

  • 0:49

    always validate your users' actions, both on the client and on the server.

  • 0:54

    Validating actions on the client reduces low hanging fruit for

  • 0:58

    less motivated attackers.

  • 1:00

    However, client-sided code is much more vulnerable to malicious attacks.

  • 1:05

    You should always validate on the server as well.

  • 1:08

    When the action is validated on the server, the malicious user

  • 1:12

    is required to have access to the code on a web server in some other location.

  • 1:17

    Although there may be bugs in the code which would allow access,

  • 1:20

    server side code is typically easier to protect.

  • 1:24

    If you only validate in one place, always validate on the server.

  • 1:30

    Depending on the language in which your application is written,

  • 1:33

    there are plenty of existing libraries and

  • 1:35

    frameworks that provide some sort of built-in authorization.

  • 1:39

    For example, in JavaScript, there are libraries to provide permissions and

  • 1:43

    access controls to objects.

  • 1:46

    Additionally, you can write custom business logic to prevent certain users

  • 1:50

    from performing certain actions by checking their identity

  • 1:54

    against the action.

  • 1:56

    Finally, for more advanced requirements,

  • 1:59

    you can put systems in place that detect unusual user activity.

  • 2:03

    As with login activity, by monitoring the number of actions and spacing between

  • 2:09

    actions, policies can be enforced that will limit or block certain actions.

  • 2:15

    Now, you should have a good idea of the types of tools to look for

  • 2:19

    when building your own application.

  • 2:21

    Check out the teacher's notes for

  • 2:22

    more resources around TLS, authentication, and authorization.

  • 2:27

    In the next stage,

  • 2:28

    we're going to look at maintaining the security of an application in production.

You need to sign up for Treehouse in order to download course files.

Sign up