So I'm working on a project that I'll provide information feed to specific business partner. There's no login required because the business partner's front-end have to pass an preallocated apiKey along with any request to the my REST API. The api only responds to requests that contain a valid apiKey, and its access level has already been predefined when we generate the apiKey.
Currently I'm using CakePHP, with curl, passing the REST request method, and the hardcoded apiKey as param. Security hasn't been an issue so far. But our team is thinking that, what if our business partner want their website to be done in recently trending JS front-end frame work such as AngularJS.
For the same scenario, such a simple task cannot be done in JS framework. I obviously cannot simply give them the client secret (apiKey) and let them include it in their client side code. Anyone can view the secret and have access to the our REST API.
Now we're talking about security, which my team really do not know much. What are the ways to overcome this issue? How to pass a client secret along with http request from AngularJS, securely, obscurely? Any suggestion or could anyone point out something that I can study into?
I had some ideas though, but they just sound not so right.
I'll just put the AngularJS in CakePHP's webroot. That would be a really dirty hack though... Just introduce unnecessary complexity.
Generate hash with the a combination of constraints such as Origin Domain / IP / Public Secret and timestamp, and on my API side, I compare the hash and return an access token for each request... something like that...
There are different options
JWT (see my article)
OAuth (pick one)
A proxy to your API
First two will require an initial authentication request, you'll get a token back that is passed in every future request to your site.
You can create a proxy, the site calls the proxy which then makes another call to the real API and adds your API key.
Related
I have an android app and a php server. I send some requests, say for login and other request parameters as required by my app; and the server sends back json which is displayed in the app.
My question is how could I prevent other users from accessing the urls via the browser and getting the results?
Also most of the requests should only execute if the user is logged in. That is taken care of in the app but how in the apis? I can send an auth token to be sent along with further requests, but the same can be get by calling the login api via browser and then sending that login token with other apis. How to handle these situations and prevent access via methods other than the app to get the data?
And also does it matter in case of android apps whether I send the login password encrypted or not from the app? Or should they be encrypted at the server and then stored in the database?
This might be a very naive question, but I couldn't find an existing one here on SO. P.S. I know php apache server is not the best option but the client has an existing php server ready with the apis and he wants to use the same in the app.
With my experience in writing a JAVA REST API here are the few suggestions I can make,
1> My question is how could I prevent other users from accessing the urls via the browser and getting the results
ans: If you want the API to respond to only the requests sent by App, You can sign the request with a unique key which is known only to the app and no body else.
For example: You can generate a string by appending all the parameters you send in a specific order like username+password+param1+param2 and then apply SHA 256 or any of the hashing on that string to generate a unique string and send this string as a Authorization header value :)
At API end because you know the oder of the parameter to join, once you recieve a request regenerate the string using parameter that you have received and apply same hashing on the string and check whether the string you generated matches the request Authorization header value or not and respond to only one with proper Authorization value :)
How it works : Being un-aware of Authorization header whenever browser makes a request this vallue will not be there in request hence your APU wont respond.
On the other hand if somebody deliberately tries to track the request and realizes that Authorization header needs to be sent, still wont be able to get response from your API because he will not know the Algorithm used to generate the value nor the sequence of parameter used.
Use Cases:
All Outh API's makes use of same pattern. Read OAuth specs for clarity (Though they use ot for different purpose, you can use it to benifit your situation:) )
Example of API's : Facebook,Twitter,Google,Linked In and so on :)
2>also does it matter in case of android apps whether I send the login password encrypted or not from the app?
Ans:
It does not matter wheteher you use android apps or web browser to make request :) If you are using POST request all your parameters will be encrypted by default :) So dont worry about it :)
3>should they be encrypted at the server and then stored in the database
Ans:
Saving a password in a plain text at your data base can lead to many consequences :) So its always better to save encrypted passwords at data base :) As far as usernames are concerned its ok to save them in plain text :)
Extra peice of Info : Make sure all your api's makes use of Secure channel :) I mean make sure your API's are https :)
Hope my suggestions helped :)
I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.
I have my own API built in php with zend framework for CRUD functions with database.
But now I am concerned about securing my little API for a bit cause I needs to have voting function which allows user to vote once per item. The only requirement to vote is user's facebook ID, so I am afraid if someone loop the post requests to my voting api with a lot of facebook id.
So now I am thinking of passing encrypted token from my app client to voting api and check it before api do the things.
So I want to know what are the best way to generate dynamic tokens and passing it securely to the API? Or is there any easy way to recognize the API requests that made from any sources other than my app clients?
Currently I use jquery ajax to pass all json data to my api. Thanks!
The easiest way I can come up with is, that you put a hash of some sort into the API call to verify that the data comes from your app.
E.g. you could create a hash of the Facebook ID plus a salt. You just have to make sure, that the receiving end does know the salt used for that call.
For example
hash = sha256(Facebook_id+app_id)
would be a way .
I have a web-application for which I'm building a Drupal module that allows my customers to access certain data on my application.
I intend to distribute secret API-keys to my customers who need to enter that value in their copy of the Drupal module. This Drupal module then talks to my web-application, but I need to make sure that the POST requests are indeed coming from that source.
How can this 'secret key' be used to pass some information that when my application receives it, it knows:
(a) its from that client's server.
(b) it hasnt been eavesdropped on / copied and used by someone else?
Should I be using this API-key as a password to encrypt some data that matches the rest of the POST request? When receiving it, I decrypt it using my copy of their API-key and it if matches the rest of the data, I consider it validated?
Is there a frame-work that does this for me? Something within Zend?
Use HTTPS and just send the API key in the request. It's that simple.
If you use HTTP then you are going to reinvent the wheel.
Update:
Here is an update after reading the comments, because in the question you didn't explain that you want to give the API keys to visitors of the website (in which case you would be screwed no matter what you do).
The comment by juanpaco explains what to do (and what I originally assumed that you're doing anyway) but I'll try to explained it in a little bit more detail.
The most important thing is that you don't use the API key in the web form. The API key is only used in the communication between your customers servers and your API server.
Here is a simplified explanation:
You give your customer a key and some software/module/library to install on his server.
When a visitor visits your customer's website he sees some HTML generated by your module that does not include any API key and can communicate only with your customer's server (with HTTPS if there is any sensitive information or user accounts involved at all).
Your module on the customer's server gets the request from the visitor.
Your module connects to your server using the API key (with HTTPS).
Your API server responds to the customer's server.
The customer's server responds to the visitor.
Your API key is never sent in the cleartext and never given to website visitor.
This is the only reasonable way to use API keys and after I first read your questions I assumed that you are concerned about the safety of sending your API keys between your servers and the servers of your customers.
If your customers were to give their keys to every visitor of their websites then those visitors would always be able to know them, no matter how hard you would try to make it. Giving visitors API keys and making them possible to use but impossible to read would be impossible. Not hard - impossible. No matter what protocols, encryption or anything you use.
(Thanks to juanpaco for bringing this old answer to my attention.)
Collect and store every client incoming url(e.g. www.authorisedclienturl.com) as part of the parameters you would store on your server before generating an API key to be shared with the client.
The client will use HTTPS to send the API key in the request boby from their registred authorised client urls only.
Use the API key to decript the client information on your server and retrieve the registered client url, verify that the incoming request url is present in the registered urls, then accept and proceed with other processes.
user signs up for a key and secret from my site, then they can send/receive from my REST server.
Where I need help is when a user interacts with the REST, how can I determine if they are authenticated using THEIR key and secret? Basicly this will be for a social network site app area. I have seen that many social networks have an app area and use REST and OAuth and sometimes OpenSocial but I have looked at those and they are a bit complex for my needs I think. As for authenticating with OAuth, I guess I do not really understand exactly how it works, maybe it is what I am looking for though? I don't need to authenticate the user who views the page that is running the API, I need the owner of the app's server to authenticate to send back and forth with my REST?
Any advice on how to do this the best way? I would like to do it the best method for future growth, so if I could do it like the big boys do (Facebook, myspcae, hi5, bebo) that would be the way to go I think.
when a request is sent it should pass the key in the URL to my server but they should have there Secret somewhere in there script, I am not clear how to make that work with each other?
OAuth is almost certainly the best way to go here. Using OAuth, you can provide authorization to almost any kind of web-based API that you would like (REST is fine, but so is plain ol' XML over HTTP).
There are some Stackoverflow articles on how to get started with OAuth.
I also find Google's implementation worth studying, as it's both well documented, and a very good implementation from which to take inspiration. They also have a very helpful "OAuth Playground" that will walk you through an OAuth request step by step.