I'm using PHP and json to make an API and I would like to limit the access for it.
The most user-friendly way to do this (in my opinion), would be an APIKey for each user.
What I'd like to do is check who's using/requesting the json, and then I could check the site toward the key (I know how to do the last part).
(The key will be appended to site url ?key=KEY)
I have tried
$_SERVER['HTTP_REFERER'];
But apparently this would only show the last site if you're redirected to my site.
I hope this wasn't TOO subjective, and I don't really know how to explain this in any other ways. Hopefully someone could understand what I'm trying to do and maybe got a better solution?
I'm kinda new to making API's atleast limited ones.
Thanks!
The referrer is set by web browsers to give you the last page the user browsed before getting to your site. If you authenticate a site by using an API key, and this site embed the API key in their JS code so that visitors can access your API directly, rate-limiting by using both API keys and referrer will allow attackers to DOS your API until a specific site has been rate-limited (because the attacker know the API key, and the referrer can easily be spoofed).
Related
I am trying to get a list of all Google Apps users of a domain onto a public PHP website (without visitors of the site needing to login or do anything). I have a basic understanding of what needs to happen but can't quite piece it all together. It can't be as hard as it seems to me... could it?
Authentication and Authorization:
I'm pretty sure it needs to use OAuth 2.0 ... but am unsure whether it needs 2 legged or 3 legged. I got another section of the site working with ClientLogin but that won't pull in Google Apps profiles, only user's first and last names (I need the other profile fields). I have set up the API access within the account and have that side of things all set (I believe).
I have found this page, which shows how to construct a URL request to get all Profiles (in every language except PHP of course) but don't understand how to implement this.
http://code.google.com/googleapps/domain/profiles/developers_guide.html
I also tried this example but it just gives me a 401 after I enter the credentials. http://gdatatips.blogspot.com/2008/11/2-legged-oauth-in-php.html
I don't know which frameworks or includes are needed to accomplish this either. I have tried zend, OAuth.php and a whole bunch of other bootstraps... but keep getting lost as to what each is doing.
If someone could help me by outlining:
Which files/framework I need to upload and include as a bootstrap
What variables within those files I need to update with the Google credentials
How I integrate the Google Profiles "Retrieve all Profiles" request with PHP
An ELI5 (explain it like i'm 5) overview would be very much appreciated... I'm sorry for my apparent incompetence, but I have been reading articles for nearly a week and have not gotten anywhere.
Thank you in advance for any help provided.
Good question.
You'll need to implement the Google OAuth 2.0 process as it's described here (experimental?), because someone (you) will need to give your app the initial permissions to access Google Apps API. Steps are:
Register your domain with google (don't remember the link)
Redirect/send browser to an authentication url: https://accounts.google.com/o/oauth2/auth, with the appropriate request params (see the first link). You'll need access_type=offline, your scope would be https://apps-apis.google.com/a/feeds/user/
Get a code back, then exchange for a refresh_token, an access_token, and a value specifying when the access_token will expire. Store these in a database
Whenever you need to make an API call, check if your access_token has expired or not, and refresh when necessary, which is what the refresh_token is for. The refresh_token is valid as long as you don't revoke the access you gave to the app.
OAuth Playground helps a lot. Good luck.
I am working on a PHP REST API. I would like require a user key to access the API. I am not sure how to do this though, do I just issue a key and have them send it in a POST or with GET on each API request? Please help me explain in the simplest of terms possible if you can, I know this is something a lot of people want to do and it confuses a lot of people not just myself.
Also I would like to be able to limit usage, I was thinking of storing each hit in a MySQL database or something in Memory even. I just saw this in the header of a Github API request
X-RateLimi-Limit 5000 and X-RateLimi-Remaining 4996 and the number decreases by 1 on each hit, is this some kind of built in limiter?
Just require clients to register with your site,
create a record in your CLIENTS table, issue them a unique, non easy to guess id
then with each api access require that id to be included in request, either in GET or POST on in the header.
Validate it with every request, return error code if id is not present or invalid.
For rate limiting you are correct, you need to have a separate table for storing count of requests per client and then generate these response headers with X-RateLimit counters.
It's not that hard, really.
I wrote an API that does that for my project, you are welcome to look at the source code, it's in the Api folder, here
https://github.com/snytkine/LampCMS/tree/master/lib/Lampcms/Api/
and entry point to API calls is this
https://github.com/snytkine/LampCMS/blob/master/www/api/api.php
url for adding new app is:
http://support.lampcms.com/index.php?a=editapp
Is it possible to check from where user came to my facebook application? I'm looking for something similar to $_SERVER["HTTP_REFERER"]. My facebook application is written in PHP.
No, since facebook "proxies" every request to your app, you will never see a referer.
The only thing you could do would be handing out self generated referer-urls.
Just apply the GET parameter app_data to your url - this gets passed directly through to your app with the signed request.
This would be a method of tracking how many visitors come from sources you know and made a link deal, for example.
So I simply want to add my current facebook status to my personal website. I have been looking at tutorials and other posts about fb and fb connect, but I am still confused.
Is there anyway to do this with simple REST calls? Like twitter or flickr?
From what I understand I dont need FB connect because I am just getting my own status and do not need to get any info from other visitors.
Any know how to do this?
Facebook does have an API, but unfortunately, you cannot use it without acquiring a secret key. Because Facebook gives users control over their data privacy settings, there is no "public access" to data retrieval methods. You must have a key in order to start fetching things.
All facebook applications are given a secret key when they are created. Users can prevent applications from retrieving their data if they want, hence the need for an associated key.
Facebook Connect applications function in the same way... they are assigned a key that is used remotely from a third-party site (ie. yours).
Unfortunately, without one of those keys you won't be able to access any data, even your own. You could probably come up with a work-around by making your own application and using that key to fetch data on yourself, but you'll need to go through some hoops to make it work on a permanent basis (ie. without a new session each time), like granting the offline_access extended permission.
user signs up for a key and secret from my site, then they can send/receive from my REST server.
Where I need help is when a user interacts with the REST, how can I determine if they are authenticated using THEIR key and secret? Basicly this will be for a social network site app area. I have seen that many social networks have an app area and use REST and OAuth and sometimes OpenSocial but I have looked at those and they are a bit complex for my needs I think. As for authenticating with OAuth, I guess I do not really understand exactly how it works, maybe it is what I am looking for though? I don't need to authenticate the user who views the page that is running the API, I need the owner of the app's server to authenticate to send back and forth with my REST?
Any advice on how to do this the best way? I would like to do it the best method for future growth, so if I could do it like the big boys do (Facebook, myspcae, hi5, bebo) that would be the way to go I think.
when a request is sent it should pass the key in the URL to my server but they should have there Secret somewhere in there script, I am not clear how to make that work with each other?
OAuth is almost certainly the best way to go here. Using OAuth, you can provide authorization to almost any kind of web-based API that you would like (REST is fine, but so is plain ol' XML over HTTP).
There are some Stackoverflow articles on how to get started with OAuth.
I also find Google's implementation worth studying, as it's both well documented, and a very good implementation from which to take inspiration. They also have a very helpful "OAuth Playground" that will walk you through an OAuth request step by step.