Query input params security

I have a REST API query1, e.g.:
api/user with a bearer token as authorisation header

This query returns a list of IDs of "things" this user is allowed to see.

Then I have another SQL query2, e.g.
SELECT * FROM things WHERE id = ANY({{ query1.data.thingIDs }})

Now it looks like, that from a security point of view, the user is able to change the input parameters for query2 in the browser, because it looks like Retool runtime does a POST query?queryName=query2 with the array in the request body (queryParams). So the user could run the query with a totally different list of IDs.

So I was always under the impression that all this happens in the backend of Retool, and not in the frontend. Is there any way to prevent this? The way it is, is a big security issue in my opinion.

Hey @Rafael!

It's possible to prevent query variable spoofing for the {{ current_user }} global:

That's used, for instance, to implement row level security, but since you're fetching the IDs from a REST API it may be better to put both queries into a Workflow which will run entirely on the backend. When you trigger the workflow you can still pass it a value from {{ current_user }} that identifies the user and can't be spoofed.

Could that work? Are you dependent on user-based authentication for your REST API?

Can you share an example of this? I'm trying to implement proposed solution.