Hello Sebastian,
We were looking into the Notifo SDK and needed to create a user with a specific ID. When trying to use the PostUserAsync method it uses the “UpsertUserDto” model witch does not have the ID field. But the API supports the creation with a specific ID. (If this change make’s sense to you we can implement it ourselves)
I am thinking of implementing a custom web component to interact with Notifo. This means that to make the requests It will need the API Key of the current user. If this key is leaked there’s a breach of security (it’s always the same). Is there any other way to authenticate the user?
Best regards,
Henrique Melo
I am confused. In my tests the Id is there: https://github.com/notifo-io/notifo/blob/022b173e9ea01c6fbb5523efc7ea2bc960241ea7/tools/TestSuite/TestSuite.ApiTests/UsersTests.cs
Every user has its own key, so there is not that much potential for a leak. It is the same when an access token is leaked.
We were using the wrong method. Now it works.
I understand that, but in the possibility of leaking the key shouldn’t rotate? For example tokens are revoked in “x” hours. This Key’s could be revoked too and new ones created.
What do you think?
Yes, it could be implemented, but it really depends how you retrieve the token. Another option would be to create a user token on the fly when you login on your service and then you decide how long it should be valid.
That is a good option too. Thank’s for your opinion, we will look into this option.
For this option I would have to implement something as well.
I was thinking for all communication to pass though our API. (probably not the best option for performance).
What is your vision for this modification?
When we use the method “User.PostUserAsync” shouldn’t is have the Id property? If we use the method “Users.PostUsersAsync” like you use in your test we can specify the ID.