I am new to api development, my client required to check or restrict the api call from valid sources
api will throw an error when requested from the postman or other like took in the production. Looking for a solution in laravel 6.*
You can check:
UserAgent Header in the request & allow certain user-agent as per your choice.
You can check the refer header field to identify the the domain from where the endpoint request is made..
You should first define valid sources.
There is various way to restrict your api call like -
From where api should be called from web, api-postman, etc.
From which IP address. You can limit the api call from one IP address using throttle middleware. (for security purpose)
You can put encryption on your api call so that only your application can call that API.
You should always use Authorization on API to secure api response.
Always use Server Side Validation on every api just like you do in your POST or GET request.
Related
They are saying like:
After the user has logged in and given their permission, the Envato
API will redirect them back to your application on the Confirmation
URL provided, with a single-use authentication code provided in the
query string (eg. http://your.app/callback?code=abc123...). You must
use this code to request an access token from the API, by sending the
following POST request from your server (encoded as
application/x-www-form-urlencoded), replacing [CODE] with the code
you've just received, [CLIENT_SECRET] with your secret application
key, and the other fields as necessary:
POST https://api.envato.com/token
grant_type=authorization_code&
code=[CODE]&
client_id=[CLIENT_ID]&
client_secret=[CLIENT_SECRET]
I am able to get the code by $_GET('code'); how make a post request to above url?
You'd probably want to use curl or a similar library. Here's a quick tutorial about curl that includes a post: http://codular.com/curl-with-php. It even mentions oauth, which sounds like what you're doing.
I am using Moodle core REST API and I am following this Stackoverflow answer for my login request. login end-point is working successfully.
API Request
$ curl -d username="fmcorz" -d password="$PASSWORD" 'https://moodle.org/login/token.php?service=moodle_mobile_app'
Response
{
"token":"SNIPTOKEN",
"privatetoken":"SNIPPRIVATE"
}
I am using token to get User ID and other stuff. But I want to know what is the main purpose of privatetoken?
according to my understanding this will use if moodle installation is on Https and "token" will we used when we use http but not sure as I have only http based server
please help to understand this so I can choose best available token to implement Moodle REST API.
thanks.
According to the token docs, privatetoken is only sent when the token is first created and should be saved by the client. The source says it's only sent when the connection is https and the user is not an admin. So I assume it's an edge thing as it should be returned only in very special circumstances. It sounds like it's the Random all-time valid token which can only be sent over https and not for an admin user.
Background: According to Bitly's API documentation, when a link is shortened via their API, it should be shortened using the domain that the authenticated user has set as their default domain if no domain is specified in the API request.
Parameters
longUrl - a long URL to be shortened (example: http://betaworks.com/).
domain - (optional) the short domain to use; either bit.ly, j.mp, or bitly.com or a custom short domain. The default for this parameter is the short domain selected by each user in their bitly account settings. Passing a specific domain via this parameter will override the default settings.
format - json, xml, txt. Default: json.
Quote taken from Bitly's API documention found here: https://dev.bitly.com/links.html#v3_shorten
Problem: In my plugin, however, it ALWAYS returned the link shortened in the bit.ly format and NEVER returns a link shortened using the a custom short domain. This is the case both in my testing and for several other users who use this scrip.
Context: You can see my function starting on line 203 of this GitHub file here: https://github.com/warfare-plugins/social-warfare/blob/master/functions/bitly.php
You can see that actual API request being built down on line 230.
I tried manually declaring the domain parameter, and it still failed to produce the desired results.
Question: So how do I get it to use the user's default domain name instead of always using the bit.ly domain name?
Bitly Engineer here ...
First, you can get direct Bitly API support at api#bitly.com.
The current user is determined by the access token that you pass to the API call. We then determine the default domain for that user. So likely, the default domain for whatever user is tied to the access token you are passing is bit.ly.
So how do I get it to use the user's default domain name instead of always using the bit.ly domain name?
Just call the API w/ the access_token for the user. You would generally get this via oauth flow for a multi-user application. If there is a specific example of this not working feel free to contact us at the support email and we can debug further.
So I'm working on a project that I'll provide information feed to specific business partner. There's no login required because the business partner's front-end have to pass an preallocated apiKey along with any request to the my REST API. The api only responds to requests that contain a valid apiKey, and its access level has already been predefined when we generate the apiKey.
Currently I'm using CakePHP, with curl, passing the REST request method, and the hardcoded apiKey as param. Security hasn't been an issue so far. But our team is thinking that, what if our business partner want their website to be done in recently trending JS front-end frame work such as AngularJS.
For the same scenario, such a simple task cannot be done in JS framework. I obviously cannot simply give them the client secret (apiKey) and let them include it in their client side code. Anyone can view the secret and have access to the our REST API.
Now we're talking about security, which my team really do not know much. What are the ways to overcome this issue? How to pass a client secret along with http request from AngularJS, securely, obscurely? Any suggestion or could anyone point out something that I can study into?
I had some ideas though, but they just sound not so right.
I'll just put the AngularJS in CakePHP's webroot. That would be a really dirty hack though... Just introduce unnecessary complexity.
Generate hash with the a combination of constraints such as Origin Domain / IP / Public Secret and timestamp, and on my API side, I compare the hash and return an access token for each request... something like that...
There are different options
JWT (see my article)
OAuth (pick one)
A proxy to your API
First two will require an initial authentication request, you'll get a token back that is passed in every future request to your site.
You can create a proxy, the site calls the proxy which then makes another call to the real API and adds your API key.
I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.