OpenSourceFellows
[Security] Secure and Sanitize Campaign API
Intro
In DevSecOps, "less privilege" refers to the principle of least privilege (PoLP), which means granting users, applications, or services the minimal level of access required to perform their tasks, and nothing more. When working with an API, this principle ensures that:
API users (such as applications or services) only have the minimum permissions they need to interact with the API. Each API key or token is assigned only the specific roles, access levels, or scopes necessary to perform a given function.Limiting exposure of sensitive data or operations by making sure an API consumer can only access certain endpoints or perform certain actions (e.g., read-only vs. read-write access).
Example in DevSecOps:
If you have an API that manages user data, and an application only needs to fetch user information, the API key associated with this app should only have read-only access to user data, not permissions to modify or delete it. By enforcing least privilege, you minimize the risk of accidental or malicious damage in case the API key is compromised. Applying this principle helps to reduce security risks, ensuring that even if an account or service is compromised, the damage potential is limited.
Task
In file: https://github.com/OpenSourceFellows/amplify/blob/main/server/routes/api/campaigns.js
Copilot Prompts in quotes
- [x] " Limit Data Exposure" in line 17 - 26
- [x] Highlight file "refactor to give least privilege"
