Issue
The way I understand access tokens is that the server grants an access token to the client, which the client would then send back alongside any requests in the request header to the server to prove their authentication/claims.
What would stop a user from grabbing their granted access token and using it in the header of a custom made POST request in Postman, giving them the ability to add whatever data they pleased into the database?
Is there any way to defend against this?
Solution
You are not in control of a client side app at all once it’s out there, and you’re right it’s very easy to pretend to be your app and make custom requests. Anything in your client side code is changeable or replicable by a user.
Because of this you should assume that all users are evil and any checks you make client side on inputted data should be replicated server side.
It’s also not enough to consider data going in, you should also check that a given user has the rights to query things that they ask for as it’s trivial to change an id in a request for some data. Especially when ids are incremental ints, they are very prone to simply changing a url, without going anywhere near postman.