This was auto-generated by a Slack integration.

Message text - I was looking at your https://docs.permit.io/integrations/feature-flagging/caslfrontend authorization tooling> with a colleague and it seems like there might be a hole... You're expecting that the frontend explicitly include the user id in the request to the backend API. I think this is redundant and potentially insecure. Wouldn't it be better to use the JWT that is passed to the backend API and extract the user's information from that? Since we can trust the JWT due to it being signed by the IdP, we know that it hasn't been tampered with. However, by allowing a frontend to pass any arbitrary user id into the backend, any user could effectively see what another user is authorized to do. Am I missing something?

User - mruwe

Link to message - https://permit-io.slack.com/archives/C07N5R1654K/p1734471486712259?thread_ts=1734471486.712259&cid=C07N5R1654K