APIs & Integrations

BLincoln2
Member

oAuth Security Question

I'm just getting started with a POC of a public app. I've got the basic oAuth flow wired up but I feel like I'm not fully understanding something.

What I'm thinking for basic architecture:
- my app will live in the CRM in an iframe, triggered from a CRM card
- my app receives the Hubspot userId via query string from the iframe's src
- my app loads, goes through the oAuth flow. Users do not authenticate on my app beyond Hubspot's oAuth flow (is this typical?)
- I store the refresh and access tokens in my db with the Hubspot userId as the primary key

Now my question (and why I think I'm missing something), doesn't this leave a pretty large vulnerability where users could change the userId in the query string. What prevents my app from sharing other users' tokens?

I can add some sort of rate limiting, etc. to mitigate but I'm wondering if I'm missing something more broadly. How do most apps handle this?

Thanks!

1 Reply 1
Humashankar
Top Contributor

oAuth Security Question

Will take some time to get some close solutions, meantime you can also refer to this artifacts which will help you the most:

 

https://developers.hubspot.com/docs/api/working-with-oauth

Humashankar VJ
HubSpot Community Champion and enthusiast | Engineering Manager
0 Upvotes