So if someone is logged into an app, they can easily see the network requests and token used, and make calls of their own using Postman, curl, etc. For production, I’d like to limit this so I know there won’t be any rouge queries, either mistakenly or DoS, eating resources, etc.
I know nonce values are used to make sure an API call can only be called once before requesting another. What do you call it when an app requests a nonce, encrypt/decrypts/hashes it, then makes a request for it and the server validates it? Like a public/private key pair, or hash function. Second, is it possible to implement something like this? Triggers only happen on create/update/delete but not read. I don’t want to rewrite all the resolvers, but maybe a type of resolver proxy or REST endpoint proxy that does the nonce logic?
Any type of temporary token will require fast storage such as Redis, or in memory, but that’s not available with serverless functions. Or maybe if Aurora supports in-memory tables, but that is getting very specific. What options do I have to do something like this?