I have a mobile app that needs to use Api keys in order to make requests, I however don't want to have the API keys saved to the app.
I want to use Laravel as a sort of proxy so that I can catch the request, modify it with the API keys and any other info and forward the request downstream
Any leads on how to achieve this?
This is not a Laravel problem per-se. Consider this: when you store the APIkey somewhere in the protected storage of a mobile device, you are using an industry standard way to "secure" your secrets. If those secrets are in danger, the operating system would surely be patched.
If you inject the API key into an external web server, you are making the API key useless, since now all the incoming requests are not authenticated (you are not using an API key on your client since you are injecting it at server side).
Therefore, you are developing a public web server in which all of your resources are freely available and abusable, defeating the purpose of having an API key.
Related
I have a security-related question - I'm developing an app that populates its database by using a PHP script on a remote server. I wouldn't like to make the PHP script publicly available, but just use it from the specific mobile application (written with TypeScript using the Ionic Framework). How could I accomplish this?
Make your mobile application to provide with the query some kind of secret string / token. And your server side PHP script will not proceed without valid token provided from the request.
The token can be part of your POST/GET/HTTP header or so.
What I've done in the past to achieve something like this is to setup an API key system. You generate API keys server-side, and you lease out valid keys that you have generated to your application(s). You would then use that key in your application, and that would get sent to the server and parsed by a php script whenever you call the script from your mobile application. If the key is valid, then the request is valid.
There are some security considerations to think about, i.e what happens if someone gets your API key? Are you logging remote IP's (and fully qualified domain names) and API usage, will your system be able to invalidate the key whenever necessary? Is the API request utilising TLS connections?
Before I start, I want to tell that I am new to building RESTful APIs and also have never dealt with any authentication.
I want to setup a main server which will get API requests from client (let the server IP/Domain be, api.example.com). I want to be able to use POST request to send a file to the server with an API key. What are the ways that I could authenticate the API key in the main server and then POST the file again from there to another server depending on the API key (like two categories 0 and 1)
If the file is publicly available on client server, is it good if I just send the url to the main server which passes it to the second server and then download the file there ? Once that is done, the client will also have to use a GET request.
I am thinking of having wordpress on main server to make registrations easy (write a plugin to generate api to each user). Is it a good idea ?
I have seen this : Web API creating API keys
But the client side will be public (all the client side services I will write will be open source and the api itself is open for developers to develop for their own need.) So I figured hashing the key with any method can be reversed because it's public. I just want to use a single API key around 30 characters and their email and match it in main server.
EDIT
I just figured out something, but i don't know if it's a good strategy. If I could ask the users to add the domain from which the will make the request, and then just have only one API key and send it to the server so the server could match between the APIKey and the Domain and if it is listed continue with the POST.
You can use HTTP Headers to implement your authentication. Typically users will base64 encode the AUTH Header containing the API key issued to them. The server application will decode this API key from the HTTP Request it receives and perform a lookup from a datasource to validate the keys.
Why is it required to protect API calls with additional API key secret and sign API call?
Sending only one API key over SSL connection should be enough to protect requests IMHO.
Is it because some clients will be unable to make https connections (or verify server cert.) and API should cater to them, or there is another reason?
Most API's require using 2 API keys: API key and API key secret, also tnonce (UNIX timestamp) and then sign API call using some hashing algorithm. Is it really so necessary since every call is made over SSL?
For many web APIs, a developer is required to obtain an API key that they must use with all their API requests. The uses I've seen are generally not for security reasons (thus SSL doesn't replace the need for the API key), but rather are used to track which API requests belong to which developer.
This is even more important when the API requests are coming from javascript in a web page because in that cases, the IP address of a given request will belong to the end-user, not the developer so IP address tracking is not very useful. But, the API key will identify which developer the request belongs to even when made by an end-user browser from a web app. Then, if there are problems with the use of the API, the host site can know who is behind the problem requests and then either contact that developer or shut down or moderate access for that particular developer without affecting other users of the API who are not causing an issue.
Thus, the API key facilitates monitoring and managing the use of the API by different developers. In some APIs, a developer is asked to obtain a separate API key for each "app" that they are using the API for to provide even further granularity and control.
In some cases, I've even had a host site contact me (the developer using an API key) and suggest a more efficient way for me to use their API to get the data I wanted (presumably because this took less load on the site's back-end servers).
In particularly bad cases where an API is being misused or used for illicit purposes, an API key can be revoked by the host site such that it no longer works (all requests using that API key are rejected).
I'm currently working on a mobile application with an Objective C developer. Because of the nature of mobile devices and how they work, all data is retrieved through an API I have created.
For example, if the user is trying to find something specific to do with the application on a page (a search maybe), the application would make a request:
http://mydomain.com/api/search?param1=hello¶m2=world
If these calls are made from the mobile device through the application I know they are legitimate requests (what I class as legit, anyway). If they're coming from somewhere else I really need to stop that. For example, another developer could copy the exact same application and use the API I have built on my server and there is no way I know of that can stop them doing that.
Is there a way I can secure the API some how to stop the API from being accessed outside the app?
Assuming there are no user accounts for authentication, the only way to secure the app is to hardcode a security token in the mobile app. And even doing so, it won't be 100% secure, because of reverse engineering.
Your API only receive HTTP requests, so the only way to differenciate a legitimate with a non-legitimate request is to send a further information that will be considered as valid on your server side (as OAuth tokens), but if there are no user accounts, you will have to send an identical token shared by all apps (or following a commnon rule).
I think that the best solution here is to hardcode the security token, it will at least force "hackers" to reverse engineer your app and not just sniffing the network.
I'm planing to create a few simple REST web services to be used by some other applications (everything internal, not facing Internet). For certain reasons the applications should work with SSO (Windows, NTLM or other). The issue I have is how to do the authentication in the web service.
The application calling the web service has no knowledge of the users password so I'm kind of lost on how to authenticate against REST without having the user to login? eg. avoid Basic Authentication
I would like to avoid login due to simplicity for the user and not having to handle passwords in my applications. What are my options? Am I missing something obvious?
Would this be a solution:
create token, pass it to service and store it in database. web service checks if token exists in database. (expiration handling?)
The most common solution to this problem is, as you mentioned, a simple key or token based authentication. This is how a lot of google services (e.g maps) work. You simply generate a key on your service provider for each consumer, store it in your database, and validate that all calls pass a valid key.
More sophisticated options would be HMAC or OAuth authentication. Given your situation, i.e. providing services only within your intranet, I'd say keep it simple and go with a single key authentication.
In the above scenario I don't see the need for handling expiration. Nonetheless, if you'd like to implement it, then you could
on each client request, generate a timestamp based token on the server
in your reply to the request, also include this token
client should use both the static API key and the dynamic token in subsequent requests
server should check the token's lifetime and accept / refuse the request as necessary.