Thoughts On: What's inside the QR code menu at this cafe?
This is a great article about open api's and security:
What's inside the QR code menu at this cafe?
I work with Django from time to time and this API reminds me of it. The default id's for items are all integers and as such they are incremental. It is trivial for someone to write scripts that loop through all of a particular model's objects and hit them all up.
At AmigoCloud one of the security changes we did was start using GUIDs for the API instead of the default integers. At least then each endpoint is unique.
The business here is specifically removing authentication before ordering. Most likely to make it as easy as possible for people to order. A better idea may be to get a passwordless access, for example a text sent to the person's phone that has a unique link to confirm the order before it is placed.
There are lots of other improvements that could be done, and they should go through each one and choose a better method. I do feel for the company having their clients leave over the years. I wonder if it was because it is too difficult for the clients to keep the menu's up to date or if online ordering never took off for them.
The pandemic really caused some businesses to soar and others to crash.