Code Smell 270 – Boolean APIs

Avoid booleans, always

TL;DR: Replace boolean security flags in APIs with separate, more secure endpoints.

Problems

Overly simplistic security model
Lack of granular control
Potential for misuse
Reduced traceability
Difficult maintenanc…


This content originally appeared on DEV Community and was authored by Maxi Contieri

Avoid booleans, always

TL;DR: Replace boolean security flags in APIs with separate, more secure endpoints.

Problems

  • Overly simplistic security model
  • Lack of granular control
  • Potential for misuse
  • Reduced traceability
  • Difficult maintenance

Solutions

  1. Create separate endpoints
  2. Implement granular permissions
  3. Enhance logging capabilities
  4. Deal with code duplication

Refactorings

Context

Many APIs (like WhatsApp) use boolean flags to toggle security features.

An API might have a secure parameter that enables additional security checks when set to true.

While this approach seems simple, it introduces several problems.

You sacrifice granular control, make the API more prone to misuse, and reduce your ability to track and audit security-related actions.

Instead of relying on boolean flags, you should create separate endpoints for different security levels.

This is a special case of the Remove IF Refactoring.

This approach allows for more precise control, better traceability, and easier maintenance.

Sample Code

Wrong

{
  "message": {
    "imageMessage": {
      "url": "https://mmg.whatsapp.net/v/art_vanderley.jpg",
      "mimetype": "image/jpeg",
      "fileSha256": "mJh9DKj34ao9Ph7cBm/CwKurgjbyMTFHJeo=",
      "fileLength": 24601,
      "height": 2048,
      "width": 1536
    },
    "viewOnce": true
  },
  "type": "notify"
}

Right

# Instead of a single endpoint with a boolean flag:
def send_message(content, view_once = False):
    # Process message based on view_once flag
    pass

# Create separate endpoints:
def send_regular_message(content):
    # Process regular message
    pass

def send_view_once_message(content):
    # Process view once message with enhanced security
    pass

Detection

[X] Semi-Automatic

We can instruct our linters to warn us for boolean flags.

Exceptions

  • Real Business Booleans (There are just a few ones)

Tags

  • Security

Level

[X] Intermediate

AI Generation

AI code generators might create this smell if instructed to add security options to existing APIs.

They often chose the simplest solution, leading to boolean flags for security features.

AI Detection

AI-powered code analysis tools can detect this smell with specific instructions.

You can train them to flag APIs that use boolean parameters for security-related functionality and suggest creating separate endpoints instead.

Try Them!

Remember: AI Assistants make lots of mistakes

Without Proper Instructions With Specific Instructions
ChatGPT ChatGPT
Claude Claude
Perplexity Perplexity
Copilot Copilot
Gemini Gemini

Conclusion

Creating distinct endpoints for different security levels improves your API's clarity, security, and maintainability.

This approach allows for better access control and more detailed logging

It also reduces the risk of accidentally processing sensitive data without proper security measures. Remember, when it comes to security, explicit is better than implicit.

Relations

More Info

WhatsApp ViewOnce Security Defect

Boolean Flags

Disclaimer

Code Smells are my opinion.

Credits

Photo by Juan Gomez on Unsplash

Complexity is the worst enemy of security, and our systems are getting more complex all the time.

Bruce Schneier

This article is part of the CodeSmell Series.


This content originally appeared on DEV Community and was authored by Maxi Contieri


Print Share Comment Cite Upload Translate Updates
APA

Maxi Contieri | Sciencx (2024-09-19T00:55:16+00:00) Code Smell 270 – Boolean APIs. Retrieved from https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/

MLA
" » Code Smell 270 – Boolean APIs." Maxi Contieri | Sciencx - Thursday September 19, 2024, https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/
HARVARD
Maxi Contieri | Sciencx Thursday September 19, 2024 » Code Smell 270 – Boolean APIs., viewed ,<https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/>
VANCOUVER
Maxi Contieri | Sciencx - » Code Smell 270 – Boolean APIs. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/
CHICAGO
" » Code Smell 270 – Boolean APIs." Maxi Contieri | Sciencx - Accessed . https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/
IEEE
" » Code Smell 270 – Boolean APIs." Maxi Contieri | Sciencx [Online]. Available: https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/. [Accessed: ]
rf:citation
» Code Smell 270 – Boolean APIs | Maxi Contieri | Sciencx | https://www.scien.cx/2024/09/19/code-smell-270-boolean-apis/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.