I have a route, for example /data, which brings data from php to nodejs using curl, but this route is also available from the client side, so I want to allow to use this route only for curl request. How do I can implement it ?
You can't, as HTTP is an open protocol and all client can be simulated.
However, a simple credential can be used to protect the resource, such as /data?password=u8iK9oC -- unless the password is correct, no /data resource would be returned to client. If only curl client know this password, the requirement is implemented.
Use an authentication or IP whitelist. Because any data in the request can be modificated.
Related
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
Before I start, I want to tell that I am new to building RESTful APIs and also have never dealt with any authentication.
I want to setup a main server which will get API requests from client (let the server IP/Domain be, api.example.com). I want to be able to use POST request to send a file to the server with an API key. What are the ways that I could authenticate the API key in the main server and then POST the file again from there to another server depending on the API key (like two categories 0 and 1)
If the file is publicly available on client server, is it good if I just send the url to the main server which passes it to the second server and then download the file there ? Once that is done, the client will also have to use a GET request.
I am thinking of having wordpress on main server to make registrations easy (write a plugin to generate api to each user). Is it a good idea ?
I have seen this : Web API creating API keys
But the client side will be public (all the client side services I will write will be open source and the api itself is open for developers to develop for their own need.) So I figured hashing the key with any method can be reversed because it's public. I just want to use a single API key around 30 characters and their email and match it in main server.
EDIT
I just figured out something, but i don't know if it's a good strategy. If I could ask the users to add the domain from which the will make the request, and then just have only one API key and send it to the server so the server could match between the APIKey and the Domain and if it is listed continue with the POST.
You can use HTTP Headers to implement your authentication. Typically users will base64 encode the AUTH Header containing the API key issued to them. The server application will decode this API key from the HTTP Request it receives and perform a lookup from a datasource to validate the keys.
I am currently learning about OAuth2, and I am slightly confused about one part of it. Does the OAuth2 server compare the domain in the JWT with the domain in the request header?
What prevents someone from ripping a bearer token out of a JS app and then using it to make fraudulent API requests? Even if HTTPS is used, the token sent back from OAuth2 still has to be stored before it can be used in subsequent requests, thus making it vulnerable. What am I missing?
Edit: what if I create an oauth2 token from a non-browser client and there is no domain name to match against?
Nothing prevents it from being used. That's why you store it safely or you don't store it at all.
I want to write a hacking protected web services for PHP. Can anyone give me a example how to write that? How to send the authentication headers and how to manage it in the web service?
Many Thanks,
Naveed
First. Never write your own authentication.
Second. Save yourself the pain and serve your service up using https. It opens a lot more options for authentication that are both simple and secure. OAuth 2, Client Side SSL Certificates and even plain old Basic HTTP authentication are options if you are enforcing https. Even if you're doing your own token passing, you'll probably want to do so over SSL.
If https isn't an option, you can consider earlier versions of OAuth that don't require SSL.
Personally, I use a web service to authenticate the user. This web service return the token (a randomized string).
Then the user can call other web services with their specific arguments + the token.
If the token is not valid / expired / ... => I return a message to authenticate
else I return what should be returned :)
Hope this help...
Is it possibile to update the status of facebook externally using a user's username and password with PHP. without any user interaction(like facebook connect).
Also without using curl.
I know there are come facebook mobile clients like snaptu. how do they access inbox, wall and our status just knowing the username and password.??
Thanks in advance
I don't know what you have against cURL, but you can do this with any HTTP client that can handle cookie (or that you can roll cookie support for).
However you should not even remotely consider doing this! Unless it's for a hacky script that will never leave your computer and that you use for your own account. You should never be asking for other peoples' passwords. Use OAuth.
Without using CURL or other POST requests it isn't possible.
How can you even think about not using cURL? All the FB API is exposed via HTTP, and if you don't end up using cURL, you will use HTTP anyway, and construct the HTTP request manually and send it via bare sockets.
And that's where cURL could use your job. But it's basically the same.
The apps you're mentioning are screen scraping the FB website and send the HTTP request accordingly - with cURL.