I have a hybrid WordPress plugin that fetches all data using curl from the main server. Let's call it A.
B is the client that requests for data and also can send data to A.
Now every request is encrypted and authenticated using a API access keys.
But the problem here is if I copy the plugin from B to a new client site C, the moment I use the same access keys etc. the plugin starts working.
I want to be able to restrict the access of one API access key to one domain name. How can I attain that?
I'd say to include the allowed host's IP address (B) in your access key administration.
So: when B does a call, you can validate the key and the IP it's calling from.
On A, you can use something like $_SERVER['REMOTE_ADDR'] to test the IP calling the script.
Two downsides: when sites move servers, the plugin will stop working. And of course, people can still spoof their IP, so there is a way to get around this, but at least you make it a lot more complicated and probably not worth the hassle for most cases.
A suggestion by TJHX
Make it part of the license you give your customers. The honest ones will follow it, the dishonest ones will find a way to break your DRM. This is a problem technology can't really solve confidently, especially when with things like wordpress people can just see your code - By TJHX
I have also looked into a lot of options but the mere fact is that the user always has access to the code in the wordpress plugin and can easily make amendments to the CURL request Headers even if you encrypt it.
All we can do it add it in our Licenses.
In my plugin, there are iframes that will be loading the data on the frontend so I am going to accept the domain name when the user buys the plugin and will check the referrers to my iframe to sort this issue out.
Thanks a lot guys for your help.
Related
Wondering if someone can provide some direction.
I'm creating a Wordpress plugin that will be publicly available (free). The plugin is meant to allow bloggers to include a definition widget using bootstrap's data-toggle.
Since I don't want people stealing the content without attribution, the hyperlink will be pulled out from a private API.
Here's how I think this should flow, but I know that there are things that are inefficient:
Create a private API that houses all of the data. It might be as 3
branches of data:
id -- name -- definition
Have the plugin authenticate somehow with the server
Plugin creates a shortcode in Wordpress ie. [define="term"]anchor[/define]
When the shortcode is called, it pings the server and stores something locally in their sql db.
Additional Notes/Concerns
I understand that there is nothing such as being hack-free or altered free. But I want to get as close as possible.
A couple exploits I can see happening is if people change the cached info in the SQL DB. Is there a way to potentially kill the data-toggle content if this happens?
Also, I don't want people to be able to create their own calls to our API creating their own programs. That's not the intended use of this.
I apologize if my thoughts seem cluttered, but I can't seem to figure out a solid workflow in where I should get started with this.
If anyone can help bring clarity, I would greatly appreciate it.
I would be inclined to do the following:
Give every user a unique API token or other credentials
Link every token to a single IP address and reject any requests where the token doesn't match the IP address.
That way if you become aware of someone misusing the content you need only delete their token to prevent access, and can be reasonably sure that it's not being used on another server. Users can enter the API credentials in the plugin admin.
I think OAuth2 will probably be the way to go to authenticate clients - it's made for granting access to client applications and there are plenty of implementations available. You'd need to add the ability to verify that the user matches the IP, but that shouldn't be difficult.
Is it possible to post to Google + through PHP using some kind of API? I've read many conflicting statements on various places, including here on SO.
I've read that you need an analytics account, that you need to add a website to your page, that it isn't possible, that it's a closed service and you must apply, that you need your GMail username & password .etc.
Just really looking for a bit of clarity really. Found this, but I'm not sure if it allows this functionality. The lack of documentation really makes it quite daunting looking into this as well, there is literally nothing I can find at all.
Another option I've found appears to work, however it was from a website where you must pay to download the API. I'm genuinely not sure how or if it can be done.
Google restrict this API to whitelisted partners and companies through https://developers.google.com/+/web/api/rest/pages-signup
You could however use a third party script such as https://gist.github.com/zachbrowne/3301749 which handles the posting as if it was a logged in front end user rather than a direct API update flow.
Use Case: I am working on an application where user can build his own html template and publish it to his domain by selecting one. He can use different components to do this.
Issue: I want to transfer the pages build by the user from my domain to his created domain. Something similar to what is done here. Now currently in the prototye, what I do is write the content to a file (a .html file using ajax request) then make an FTP connection to the users domain (possible beacuse domains are created dynamically by the application) and transfer the files to his domain.
This, I believe, cannot be the right way and I would like to build it around a REST service which would make it flexible and also secure.
Research: I went through the web and found some website handle this very well (like the one mentioned above) and believe they have built it as a service. Am I on the ?
I would like suggestions and the possibilities so I can move forward. I am using PHP on the server side and javascript on the client side.
I can see some possible features to add safety to your services :
Check the source IP from the request, and only allow your servers to make the REST calls.
add header('Access-Control-Allow-Origin: *'); with the list of the possible domains to make the calls, instead of the *.
add security tokens related to the caller machine IP address, that would work as a password for the machine.
send all the data using post instead of get.
To update the page, I would go this way :
keep the data in the database, on server 1
add a page that reads from the database the content of the page based on a domain parameter
on the domain page call server 1 with the domain parameter to get the contents
I'm building a product that involves clients adding their FB app data into my product's dashboard.
In this case each client would have to go to developers.facebook.com/apps and create an app first.
I would want to have a button which says "Create App" in my website that when clicked, would create the app instantly for the client.
So is it possible to create a FB App from my website (with script, not manually) ??
Thanks in advance,
Altin.
It was possible couple of years ago, and now it's been removed.
First of all, I’d think about the question, “does every client really need their own app?”
Maybe it’d also be possible to have all of the stuff you’re planning to do (no details on that) under one app, and have it decide on what data to show based on the fact which client’s Facebook page it gets added to (if it’ll run as page tab app), or by some additional parameter passed to it when calling it. You could f.e. example automatically redirect to a sub-folder on your webspace based on this criteria, that displays individual pages for that client.
If that’s not an option, then yes, your clients will have to set up the basic app themselves (and therefor they’ll need a verified account) – and afterwards tell app id and secret to you. Many of the “advanced” app settings can then be set by you via script – look at what properties are marked as “(Editable via API)” here: https://developers.facebook.com/docs/reference/api/application/
(Although some of the basic settings, like category, description, logo etc. will still have to be set by your client themselves. But other, more “technical” stuff, that the client maybe doesn’t know about and doesn’t even want to be bothered with, like canvas/page tab URLs etc. can be set by you. I’d say that’s as good a compromise as you can get for such a scenario.)
There's one news-portal and its huge (site A). During production backwards, it has been even powered with some sort of a social networking stuff - not yet started, but about to start (soon site B).
Packed together looks great, but in some future there might be a lot of problems with maintaining the database, servers and stuff so I've been asked to separate it as I did. Site A goes on its own domain, site B also - databases are separated.
Now, I need to do the following: when user logs into site B (social site) and arrives to site A (portal) they should be instantly logged in there too (on a site A).
Any ideas how to do this - without duplicating entries to user tables?
EDIT:
Any other ideas instead of auth services? OpenId will just give us one user with 10 accounts, fakes and so on. How about cookie stuff or multi-database queries?
EDIT 2:
Well this is something hot.. unless its not April 1st joke and worth a try:
http://www.shawnhogan.com/2005/12/cross-database-join-with-mysql.html
You can use OpenID.
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.
If you want to share some profile information (e.g. posts or photos) without giving access to your login and password you can use OAuth.
See if my answer here is of any use.
It's pretty simple, and only requires user information to be kept on one side. Where you need some information on the non-database side, you can just pass that information there using values in a query string, alongside the encrypted string.
Can you believe this?
$DB->query("SELECT * FROM table..."); // works of course...
$DB->query("SELECT * FROM another_database.table..."); // WORKS ALSO!
This guy is a miracle:
http://www.shawnhogan.com/2005/12/cross-database-join-with-mysql.html
I don't believe it, so simple at the end!