Security Questions Regarding CMS Authorization

Hi, MemberStack community,

We’re a WebFlow CMS user and we’re trying to set up a workflow where users can create and join an organization using different roles. We have some very simple workflows where users generate data inside their organizations. This means each user should only be able to see data from their organization and should NOT be able to see data from other organizations.

We are currently accomplishing this by mapping each User Item ID in the CMS to an Organization Item ID and a Role (i.e. Owner, Admin, Editor, and Member). We can use MemberStack to manage authentication and authorization for specific User Item ID and Role combinations, however, we have not found a way with MemberStack to scope by Organization Item ID . For now, we’re using WebFlow’s Dynamic Content Filters and Custom Attributes to scope data from the CMS by only showing data that match the Organization Item ID and User Item ID passed from the WebFlow UI. Before launching our site, we’d like to be extra sure that we’re keeping our customer’s organization data safe from attackers.

Typical from our software development experience, we would implement a client web app to fetch a token by logging in through an identity provider (IdP), and then our backend/middle-tier would handle any incoming requests from the client by first checking with the IdP through its SDK or API to verify if the token give is authorized before process the request. However, it’s not clear to us how the Webflow client and its backends (i.e. the CMS + various 3rd party integrations) are aware of how to verify the token against the IdP before processing a request. I also can’t seem to find a simple call flow diagram or doc that explains how MemberStack handles incoming requests; a lot of the WebStack ecosystem is a bit of a black-box and we’d like to make sure our customer’s data is secure from malicious attempts and to understand the security risks and limitations of the ecosystem.

For instance, the MemberStack tutorials describe a setup workflow where we add tags to the head and body of different pages to manage the auth token; I presume these are only used on the client-side. However, it’s not clear to me how the backends (i.e. the WebFlow CMS, Zapier, Integromat, Airtable, HubSpot, etc.) know how to handle the client’s token (decrypt it, verify roles and permission, etc.) since I can’t seem to find a step where I set up the backend’s integration with the IdP.

This said, my main question can be simply summarized as follows:
What are all the measures in place to prevent attackers from making a request directly to the CMS or a 3rd party integration and spoofing the Item IDs from other users?

Thank you very much.

1 Like

Hey Cesar :wave:

Welcome, and thank you for posting in the forum! :partying_face:

Thank you for the detailed post! I just read this and I am passing this info on to our developer team to answer when they get a chance. Just wanted to let you know we are working on this and you haven’t been forgotten.

Much love :heart:

1 Like

Hi @Josh-Lopez Josh, any updates would be much appreciated.

Hi @Josh-Lopez, any updates/answers to this question? I’m developing something similar right now and client would like an answer to this. Thanks.