Avoid booleans, always
TL;DR: Replace boolean security flags in APIs with separate, more secure endpoints.
Problems
Overly simplistic security model
Lack of granular control
Potential for misuse
Reduced traceability
Difficult maintenance
Solutions
Create separate endpoints
Implement granular permissions
Enhance logging capabilities
Deal with code duplication
Refactorings
https://hackernoon.com/refactoring-014-how-to-remove-if?embedable=true
https://hackernoon.com/refactoring-013-eliminating-repeated-code-with-dry-principles?embedable=true
Context
Many APIs (like WhatsApp) use boolean flags to toggle security features.
An API might have a secure parameter that enables additional security checks when set to true.
While this approach seems simple, it introduces several problems.
You sacrifice granular control, make the API more prone to misuse, and reduce your ability to track and audit security-related actions.
Instead of relying on boolean flags, you should create separate endpoints for different security levels.
This is a special case of the Remove IF Refactoring.
This approach allows for more precise control, better traceability, and easier maintenance.
Sample Code
Wrong
{
“message”: {
“imageMessage”: {
“url”: “https://mmg.whatsapp.net/v/art_vanderley.jpg”,
“mimetype”: “image/jpeg”,
“fileSha256”: “mJh9DKj34ao9Ph7cBm/CwKurgjbyMTFHJeo=”,
“fileLength”: 24601,
“height”: 2048,
“width”: 1536
},
“viewOnce”: true
},
“type”: “notify”
}
Right
# Instead of a single endpoint with a boolean flag:
def send_message(content, view_once = False):
# Process message based on view_once flag
pass
# Create separate endpoints:
def send_regular_message(content):
# Process regular message
pass
def send_view_once_message(content):
# Process view once message with enhanced security
pass
Detection
[x] Semi-Automatic
We can instruct our linters to warn us for boolean flags.
Exceptions
Real Business Booleans (There are just a few ones)
Tags
Security
Level
[x] Intermediate
AI Generation
AI code generators might create this smell if instructed to add security options to existing APIs.
They often chose the simplest solution, leading to boolean flags for security features.
AI Detection
AI-powered code analysis tools can detect this smell with specific instructions.
You can train them to flag APIs that use boolean parameters for security-related functionality and suggest creating separate endpoints instead.
Try Them!
Remember: AI Assistants make lots of mistakes
| Without Proper Instructions | With Specific Instructions |
|—-|—-|
| ChatGPT | ChatGPT |
| Claude | Claude |
| Perplexity | Perplexity |
| Copilot | Copilot |
| Gemini | Gemini |
Conclusion
Creating distinct endpoints for different security levels improves your API’s clarity, security, and maintainability.
This approach allows for better access control and more detailed logging.
It also reduces the risk of accidentally processing sensitive data without proper security measures. Remember, when it comes to security, explicit is better than implicit.
Relations
https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xiii
https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-ii-o96s3wl4
More Info
https://martinfowler.com/articles/feature-toggles.html?embedable=true
Disclaimer
Code Smells are my opinion.
Credits
Photo by Juan Gomez on Unsplash
Complexity is the worst enemy of security, and our systems are getting more complex all the time.
Bruce Schneier
https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true
This article is part of the CodeSmell Series.