OutSystems Reactive — Fetch Data Security

You probably heard the buzz already about this new type of app — Reactive in OutSystems, I am fortunate to work with a project that’s an early adopter of this technology. React framework has been used in OutSystems mobile for quite some time. It has been battle-tested by lots of mobile apps but it’s still quite new in the web scene where resources can get exposed by the browser. On the web, resources are not “protected” by Operating System just like how it is on a mobile device (of course not jailbroken one).

This leads me to the investigation on how endpoints (a.k.a as Fetch Data) are being produced. Imagine that you create a Screen where there’s Fetch Data…

The Fetch Data translates to a rest service that will be accessed by the client to get the data needed from the server.

As you can see, rest endpoint is exposed in the network tab of the developer tools and login context shows in cookies. So how is it being protected from the server? The code will tell the truth…. (apologies for hurting your eyes by showing high-code below)

Permission checks are being done based on the Roles assigned to the Screen. This means that if we mark the screen anonymous, the rest endpoint will be exposed publicly (this applies to mobile as well) and it can be invoked without the need of the login context.

I highly value this kind of encapsulation made by the platform. In high-code, it will be a tedious process to go through each rest endpoint and assign appropriate roles since it’s not directly associated with screen unlike in OutSystems. This really says something about the speed of development you can do using the platform.

Disclaimer: The views expressed by the author above do not necessarily represent the views of OutSystems.