Consider the following examples for access token leakage.
Pseudo
function viewProfile(w, r):
userId = extractUserIdFromRequest(r)
accessToken = extractAccessTokenFromRequest(r)
if isValidAccessToken(accessToken):
user = getUserFromDatabase(userId)
respondWithUserProfile(w, userId, user.Profile)
else:
respondWithError(w, "Unauthorized access", StatusUnauthorized)Go
func viewProfile(w http.ResponseWriter, r *http.Request) {
userId := r.URL.Query().Get("userId")
accessToken := r.URL.Query().Get("accessToken")
if isValidAccessToken(accessToken) {
user := getUserFromDatabase(userId)
fmt.Fprintf(w, "Profile of user %s: %s", userId, user.Profile)
} else {
http.Error(w, "Unauthorized access", http.StatusUnauthorized)
}
}Kotlin
@RestController
class ProfileController {
@GetMapping("/viewProfile")
fun viewProfile(
@RequestParam userId: String,
@RequestParam accessToken: String
): ResponseEntity<String> {
if (accessToken == "xyz") {
val user = getUserFromDatabase(userId)
return ResponseEntity.ok("Profile of user $userId: ${user.profile}")
} else {
return ResponseEntity.status(401).body("Unauthorized access")
}
}
}Scala
class ProfileController extends Controller {
def viewProfile(userId: String, accessToken: String) = Action { implicit request =>
if (accessToken == "xyz") {
val user = getUserFromDatabase(userId)
Ok(s"Profile of user $userId: ${user.profile}")
} else {
Unauthorized("Unauthorized access")
}
}
}Which of the code snippets shown above uses practices to prevent access token leakage?