Level 12
After thinking a bit more about it, I think it is the best way to do all authorization stuff in my gateway. It is a bit cleaner to understand. Then i just have to be sure that securtiy 100% works.
May 20, 2021
1
Level 12
Check owner on Gateway or Microservice?
Hi. I build my first bigger application with a gateway (which handles all requests from an vue app and redirects all to the the right microservices). The microservices only know a user id. For example the posts microservice have a post title, id, text and a user_id. My first idea was to do give the user id from gateway to the microservice and check there if the user could change it. But I have two security things in it. First the microservice could only be accessed with access_token (which only have the gateway) and the microservice can only be accessed from one ip. The ip of the gateway. So I think about doing all checks (is user owner of a post, is he a paying subscriber and can do more than 3 poste, ... ) in the gateway with policies.
Does this sound right? So the microservice only saves, updates and deletes, but does not check if user can do the things.
Please or to participate in this conversation.