When building APIs with both list and get-by-ID endpoints that return the same objects, using a single permission type (either listItems or getItem) avoids subtle security issues. The post demonstrates how token-based pagination combined with per-item authorization checks can leak information about restricted items through empty pages and nextToken signals. The safer approach is to authorize the list operation before querying the database, passing filter parameters as authorization context. The post also covers best practices: list endpoints should use list permissions, list responses should return minimal data (not full objects), and when full objects are returned in lists, use only list-level policies to avoid permission duplication. AWS S3 and KMS are cited as examples of good API design where list and get operations return different data shapes with separate permissions.
Sort: