My application allows the user to connect to my backend from which it will redirect the request to an external api of another website.
This other website allows access to a REST API through the usage of an application and private key. The keys are stored in my backend server for security purposes. The other website allows other developers/administrators to make their own instance of that website with the same REST API keys but with different content.
So the flow is as follows:
Client application connects to backend server.
(When successfully authenticated) The client sends request for information to backend server.
Backend server forwards the request to a REST API instance of an external website.
REST API instance of the external website returns requested information to backend server.
Backend server returns requested information to client.
In the process of requesting the information, the client needs to specify to which external API the backend server should connect via a URI.
With security in mind I've noticed a big issue with my system: the user could send a URI of a "REST API" in his possession that actually captures all the data between the backend server and the bad "REST API". This way the bad URI could capture the secret REST API keys for malicious purposes.
How can I be sure that the URI the client provides to the backend server is a legitimate URI for an external REST API and not just a random, bad or malicious URI?
The only solution I've came up with is a database check for the legitimacy of a URI to cope with this issue.
Related
My team has a Web App(Laravel) and Android Application written in Kotlin. Our website has a Registration and Login forms but my problem is everyone can build their own app and call a POST method in registration form.
How can I secure our WebApp so that the only POST METHODS it accepts are just the forms from our own Android App and Web App?
Short answer: you can't.
For web apps, you could restrict origin by allowing specific domains in your CORS config. But since mobile Apps can change their IP there is no 100% secure way to restrict a public endpoint (at least I didn't find it when I faced the same issue).
Anyway, you can try to add an extra security layer by including a request header with some encrypted content that must be decrypted and approved by your API.
But this is not completely secure, Android apps can be decompiled with reverse engineering and they will find how your encrypted header is done.
If Android apps are not public (can't be downloaded from Google play services) you can also try to use the installation_id generated, but it will change when the app is reinstalled. In this way, you can approve or reject requests as per installation ids
You can JWT Tokens to verify the request .
If request is from a legitimate user then return the JSON data otherwise return an error . You can read more about JWT Tokens here
https://jwt.io/introduction
I have a web app hosted in Firebase in vue.js. The app access to the organization's main database via API to a back-end server developed in PHP (laravel) hosted in GAE.
I'd like to know if using Firebase Cloud Function on the client (js) to make calls to a back end API (PHP) would help me to protect data and be more efficient authenticating calls from the client to back end.
Currently:
Users login into the client using Firebase Auth and the client sends the resulting token to my back-end server on each API call. Then the back-end verifies the token received via HTTPS using FB Auth API and then if verified, the backend would return the request data via JSON back to the client-side via HTTPS response.
My 2 biggest concerns are:
1) would this approach scale well with more users.
2) for large extractions of data, i.e. 1000+ rows. I'd like to avoid to have JSON objects being "downloaded" on the client.
New Scenario:
The users would still log in on the client (vue.js) using FB Auth, but the Client would use FB Cloud Functions to make the calls to the Back-End API data hosted on GAE and then return the data as an array.
The advantages I hope to utilize are:
- The client will not have https traffic with data as this would be handled by FBCF and send to the client via socket (?).
- Save verification auth calls from the server, IF there is a way for FBCF to make calls to GAE without the need to pass the token (maybe using endpoints?)
Does this make sense or am I introducing a middle man unnecessarily?
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
Before I start, I want to tell that I am new to building RESTful APIs and also have never dealt with any authentication.
I want to setup a main server which will get API requests from client (let the server IP/Domain be, api.example.com). I want to be able to use POST request to send a file to the server with an API key. What are the ways that I could authenticate the API key in the main server and then POST the file again from there to another server depending on the API key (like two categories 0 and 1)
If the file is publicly available on client server, is it good if I just send the url to the main server which passes it to the second server and then download the file there ? Once that is done, the client will also have to use a GET request.
I am thinking of having wordpress on main server to make registrations easy (write a plugin to generate api to each user). Is it a good idea ?
I have seen this : Web API creating API keys
But the client side will be public (all the client side services I will write will be open source and the api itself is open for developers to develop for their own need.) So I figured hashing the key with any method can be reversed because it's public. I just want to use a single API key around 30 characters and their email and match it in main server.
EDIT
I just figured out something, but i don't know if it's a good strategy. If I could ask the users to add the domain from which the will make the request, and then just have only one API key and send it to the server so the server could match between the APIKey and the Domain and if it is listed continue with the POST.
You can use HTTP Headers to implement your authentication. Typically users will base64 encode the AUTH Header containing the API key issued to them. The server application will decode this API key from the HTTP Request it receives and perform a lookup from a datasource to validate the keys.
I'm developing both the server api and client-side app. I'm struggling with the client-side, as to whether to code it up as an app placed on their server or embedded with iframe and hosted on ours. I need your insights.
Here are our constraints:
Paid subscription based app. We want to authorize each request made to the server to ensure it's coming from a paid customer's site. Currently, we designed the API to accept HMAC Auth in the header and then compared it and the referrer host to what's in our db.
The API is RESTful. We do not want cookies or sessions.
Authorization is only for the client hosted site (our paid customers) and not their audience.
Resources sent back (if request is validated) will then be embedded into our customers' HTML pages.
We want to minimize the amount of code sitting on our customers' servers.
We're open to SSL/HTTPS and Oauth, if needed.
Given the above parameters, how would you go about the client-side portion? My first thoughts are to develop server code for generating the HMAC (sits on our customer's server) and then embed pass it to our iframe embedded on their page.
Thank you for your time and insights