Avoid booleans, always TL;DR: Replace boolean security flags in APIs with separate, more secure endpoints. Problems Overly simplistic security model
Lack of granular control
Potential for misuse
Reduced traceability
Difficult maintenance Solutions Create separate endpoints
Implement granular permissions
Enhance logging capabilities
Deal with code duplication Refactorings https://hackernoon.com/refactoring-014-how-to-remove-if?embedable=true https://hackernoon.com/refactoring-013-eliminating-repeated-code-with-dry-principles?embedable=true Context Many APIs (like WhatsApp) use boolean flags to toggle security features. An API might have a secure parameter that enables additional security checks when set to true. While this approach seems simple, it introduces several problems. You sacrifice granular control, make the API more prone to misuse, and reduce your ability to track and audit security-related actions. Instead of relying on boolean flags, you should create separate endpoints for different security levels. This is a special case of the Remove IF Refactoring. This approach allows for more precise control, better traceability, and easier maintenance. Sample Code Wrong {
  "message": {
    "imageMessage": {
      "url": "https://mmg.whatsapp.net/v/art_vanderley.jpg",
      "mimetype": "image/jpeg",
      "fileSha256": "mJh9DKj34ao9Ph7cBm/CwKurgjbyMTFHJeo=",
      "fileLength": 24601,
      "height": 2048,
      "width": 1536
    },
    "viewOnce": true
  },
  "type": "notify"
} Right # Instead of a single endpoint with a boolean flag:
def send_message(content, view_once = False):
    # Process message based on view_once flag
    pass

# Create separate endpoints:
def send_regular_message(content):
    # Process regular message
    pass

def send_view_once_message(content):
    # Process view once message with enhanced security
    pass Detection [x]Semi-Automatic We can instruct our linters to warn us for boolean flags. Exceptions Real Business Booleans (There are just a few ones) Tags Security Level [x]Intermediate AI Generation AI code generators might create this smell if instructed to add security options to existing APIs. They often chose the simplest solution, leading to boolean flags for security features. AI Detection AI-powered code analysis tools can detect this smell with specific instructions. You can train them to flag APIs that use boolean parameters for security-related functionality and suggest creating separate endpoints instead. Try Them! Remember: AI Assistants make lots of mistakes Without Proper Instructions

With Specific Instructions



ChatGPT

ChatGPT



Claude

Claude



Perplexity

Perplexity



Copilot

Copilot



Gemini

Gemini Conclusion Creating distinct endpoints for different security levels improves your API's clarity, security, and maintainability. This approach allows for better access control and more detailed logging. It also reduces the risk of accidentally processing sensitive data without proper security measures. Remember, when it comes to security, explicit is better than implicit. Relations https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xiii https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-ii-o96s3wl4 More Info https://medium.com/@TalBeerySec/once-and-forever-whatsapps-view-once-functionality-is-broken-302a508390b0?embedable=true https://martinfowler.com/articles/feature-toggles.html?embedable=true Disclaimer Code Smells are my opinion. Credits Photo by Juan Gomez on Unsplash Complexity is the worst enemy of security, and our systems are getting more complex all the time. Bruce Schneier https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true This article is part of the CodeSmell Series. How to Find the Stinky Parts of your Code Avoid booleans, always Avoid booleans, always TL;DR: Replace boolean security flags in APIs with separate, more secure endpoints. TL;DR: Replace boolean security flags in APIs with separate, more secure endpoints. Problems Overly simplistic security model Lack of granular control Potential for misuse Reduced traceability Difficult maintenance Overly simplistic security model Lack of granular control Potential for misuse Reduced traceability Difficult maintenance Solutions Create separate endpoints Implement granular permissions Enhance logging capabilities Deal with code duplication Create separate endpoints Implement granular permissions Enhance logging capabilities Deal with code duplication code duplication Refactorings https://hackernoon.com/refactoring-014-how-to-remove-if?embedable=true https://hackernoon.com/refactoring-014-how-to-remove-if?embedable=true https://hackernoon.com/refactoring-013-eliminating-repeated-code-with-dry-principles?embedable=true https://hackernoon.com/refactoring-013-eliminating-repeated-code-with-dry-principles?embedable=true Context Many APIs (like WhatsApp ) use boolean flags to toggle security features. WhatsApp An API might have a secure parameter that enables additional security checks when set to true . true While this approach seems simple, it introduces several problems. You sacrifice granular control, make the API more prone to misuse, and reduce your ability to track and audit security-related actions. Instead of relying on boolean flags , you should create separate endpoints for different security levels. boolean flags This is a special case of the Remove IF Refactoring. Remove IF This approach allows for more precise control, better traceability, and easier maintenance. Sample Code Wrong {
  "message": {
    "imageMessage": {
      "url": "https://mmg.whatsapp.net/v/art_vanderley.jpg",
      "mimetype": "image/jpeg",
      "fileSha256": "mJh9DKj34ao9Ph7cBm/CwKurgjbyMTFHJeo=",
      "fileLength": 24601,
      "height": 2048,
      "width": 1536
    },
    "viewOnce": true
  },
  "type": "notify"
} {
  "message": {
    "imageMessage": {
      "url": "https://mmg.whatsapp.net/v/art_vanderley.jpg",
      "mimetype": "image/jpeg",
      "fileSha256": "mJh9DKj34ao9Ph7cBm/CwKurgjbyMTFHJeo=",
      "fileLength": 24601,
      "height": 2048,
      "width": 1536
    },
    "viewOnce": true
  },
  "type": "notify"
} Right # Instead of a single endpoint with a boolean flag:
def send_message(content, view_once = False):
    # Process message based on view_once flag
    pass

# Create separate endpoints:
def send_regular_message(content):
    # Process regular message
    pass

def send_view_once_message(content):
    # Process view once message with enhanced security
    pass # Instead of a single endpoint with a boolean flag:
def send_message(content, view_once = False):
    # Process message based on view_once flag
    pass

# Create separate endpoints:
def send_regular_message(content):
    # Process regular message
    pass

def send_view_once_message(content):
    # Process view once message with enhanced security
    pass Detection [x]Semi-Automatic [x] Semi-Automatic [x] We can instruct our linters to warn us for boolean flags. Exceptions Real Business Booleans (There are just a few ones) Real Business Booleans (There are just a few ones) Tags Security Security Level [x]Intermediate [x] Intermediate [x] AI Generation AI code generators might create this smell if instructed to add security options to existing APIs. They often chose the simplest solution, leading to boolean flags for security features. AI Detection AI-powered code analysis tools can detect this smell with specific instructions. You can train them to flag APIs that use boolean parameters for security-related functionality and suggest creating separate endpoints instead. Try Them! Remember: AI Assistants make lots of mistakes Remember: AI Assistants make lots of mistakes Without Proper Instructions

With Specific Instructions



ChatGPT

ChatGPT



Claude

Claude



Perplexity

Perplexity



Copilot

Copilot



Gemini

Gemini Without Proper Instructions

With Specific Instructions ChatGPT

ChatGPT Claude

Claude Perplexity

Perplexity Copilot

Copilot Gemini

Gemini Without Proper Instructions With Specific Instructions Without Proper Instructions Without Proper Instructions With Specific Instructions With Specific Instructions ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT Claude Claude Claude Claude Claude Claude Claude Claude Perplexity Perplexity Perplexity Perplexity Perplexity Perplexity Perplexity Perplexity Copilot Copilot Copilot Copilot Copilot Copilot Copilot Copilot Gemini Gemini Gemini Gemini Gemini Gemini Gemini Gemini Conclusion Creating distinct endpoints for different security levels improves your API's clarity, security, and maintainability. This approach allows for better access control and more detailed logging. It also reduces the risk of accidentally processing sensitive data without proper security measures. Remember, when it comes to security, explicit is better than implicit. Relations https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xiii https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xiii https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-ii-o96s3wl4 https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-ii-o96s3wl4 More Info https://medium.com/@TalBeerySec/once-and-forever-whatsapps-view-once-functionality-is-broken-302a508390b0?embedable=true https://medium.com/@TalBeerySec/once-and-forever-whatsapps-view-once-functionality-is-broken-302a508390b0?embedable=true https://martinfowler.com/articles/feature-toggles.html?embedable=true https://martinfowler.com/articles/feature-toggles.html?embedable=true Disclaimer Code Smells are my opinion . opinion Credits Photo by Juan Gomez on Unsplash Juan Gomez Unsplash Complexity is the worst enemy of security, and our systems are getting more complex all the time. Complexity is the worst enemy of security, and our systems are getting more complex all the time. Bruce Schneier Bruce Schneier https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true This article is part of the CodeSmell Series. How to Find the Stinky Parts of your Code How to Find the Stinky Parts of your Code

Code Smell 271 - The Hollywood Principle

Refactoring 016 - Building With The Essence

Buy My Book

Share your ideas with me!

Read My Stories

Buy Me a Coffee

Too Long; Didn't Read

Make resilience your competitive advantage

Code Smell 270 - Boolean APIs

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

10 Predictions About the Future of Finance

13 API Metrics That Every Platform Team Should be Tracking

4 Standard Business Models for API Monetization

5 Major Factors Impacting the Evolution of APIs

51% of Business Leaders Believe They Will Be Left Behind If They Don't Innovate

10 Predictions About the Future of Finance

13 API Metrics That Every Platform Team Should be Tracking

4 Standard Business Models for API Monetization

5 Major Factors Impacting the Evolution of APIs

51% of Business Leaders Believe They Will Be Left Behind If They Don't Innovate

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps