1

I want to introduce pagination in one of my server endpoints.

The endpoint will have an option to include in the parameter the last index of the previous page, and if included, the "page" returned will start from the first index bigger than the last index.

e.g, if the last item in the page returned is 222, the last index parameter will be 222, and the server will return items starting from 223.

The problem is that I also want to have caching on my queries (the pages should be static).

Currently, submitting the last index in plain is bad, as the user can modify the value and hence bypass the caching every time.

I want to return in the response of the page, a signed last index, which the user could add to the url to fetch the next page.

But I already have user authentication using JWT token, and I don't want to have another token in the url just for pagination.

Is there a better alternative to JWT to sign a small field so the server will be able to discard invalid values?

The server mentioned is Spring boot with Spring Security included.

Nadav96
  • 193
  • 6
  • 1
    You can HMAC it, but it might be better to re-think your approach. Why not use a page number instead of an index? Even if you keep the index, do you really need to sign it? Why not just verify it? eg `index % 10 == 0` or something. – AndrolGenhald Apr 04 '18 at 17:03
  • 1
    @AndrolGenhald I thought about that, but the problem is that entire collection can be changed (items removed/added etc..), and in order to avoid missing data, the last index will help me ensure that the collection returned is starting from the correct place. – Nadav96 Apr 04 '18 at 17:06
  • So you want to generate small encrypted tokens for the given integers? – Limit Apr 04 '18 at 20:52
  • @Limit Yes, I decided to append to the endpoint result an HMAC, appended with the plain data which it consist of: expiration timestamp, user id and the last index. The client simply send it to the server, the server builds the HMAC from the supplied values, and throws error if the hash is different. Does that sounds reasonable? (btw the user id is coming from the jwt token, which is verified in a different provider) – Nadav96 Apr 04 '18 at 20:58
  • I don't see how "_I also want to have caching on my queries (the pages should be static)_" ties-up with "_entire collection can be changed (items removed/added etc..)_"? If items can be added/removed, then how can you allow queries to be cached? Any cached-response may contain entries that no longer exist, or fail to include new ones that do. – TripeHound Sep 04 '19 at 09:12

1 Answers1

0

I eventually found out that this is an overkill. Instead I use Spring JPA PagingAndSortingRepository to manage my pages.

Nadav96
  • 193
  • 6