I have a system which creates a website automatically for the client. I would like to implement reCAPTCHA in this system, but I need an API key to implement it. As I have many clients, and clients have access to the file system, I cannot use a single public/private key for all customers. Can I create an API key programmatically for each client, or is there another solution? If using reCAPTCHA is impossible, then is there an alternative which meets this requirement?
Before July 2014 (or so), it was possible to create a global key for reCAPTCHA through the reCaptcha admin page, as seen in the screenshot below.
Unfortunately, this option is no longer available. Existing global keys still work, but it's no longer possible to create new global keys. Sorry. :(
As I had the same problem, here your solution: You can now use the Secure token, obtained at: https://developers.google.com/recaptcha/docs/secure_token
Cheers Jens
Related
I've been working on an e-commerce project built on Symfony2 (for the backend) and AngularJS for the frontend. Currently the Symfony part is used only as an API, which has three different user levels (guest, customer & admin). Different actions that can be done within the system (like add/remove data) are secured by:
Symfony2 firewall with user roles/access control
JMS security extra (#PreAuthorize expressions)
For the parts that are secure everything works as intended and I'm very happy with the way things work.
Problem:
There are parts of the API which are public (like retrieving product information, categories, etc.). I'm retrieving such data in Angular with Ajax calls to my API that returns the data in JSON format. One example would be:
/api/product/get-all/?page=1&count=10&sorting[id]=asc
The problem is that anyone could look at the requests in browser and copy the path and have access to all the data (such as all the products) and could just download a JSON of all the information. Although this data is "public", I don't want to give others such an easy way of "stealing" my data.
Ideas & possible solutions:
I was looking at the JWT (Json Web Token) standard to try and secure the public calls to my API and implement it in such a way that I generate a token for "real" users that are on the website, and such limit direct access to public API links.
What do you think? Would this be a possible solution?
I was also reading in some other question on StackOverflow that I could check the HTTP_X_REQUESTED_WITH header from the request, but we all know this can be easily spoofed by an attacker.
Finally, I read a similar approach to "solution" 1) here : http://engineering.talis.com/articles/elegant-api-auth-angular-js/ but I'm not entirely sure that this fits my purpose.
Additional notes:
I don't want to make this bullet-proof, but I also don't want to give people the option to click 2 buttons and get all my data. I know that eventually all the information can be "stolen" (e.g.: by using a web scraper ), but "securing" the system in such a way that people would have to make a bit of an effort is what I have in mind.
I can't really re-model my API too much at this stage, but any ideas would be appreciated
Thanks for taking the time to read my question and I'm looking forward for any feedback.
You can limit the abuse of your system in a number of ways, including:
Limit the total number of requests that API will return before requiring CAPTCHA or some other validation method. This can be limited by IP, browser fingerprint, authentication token, etc.
Make it difficult for abuser to guess IDs of products, categories, etc. by using GUIDs or other randomly generated IDs.
Use API management proxy such as Azure API Management for more enterprise level management of the APIs (http://justazure.com/azure-api-management-part-one-introduction/)
You could try something like:
To access the site anonymous users first need to fill in the captcha to get temporary token.
Add referrer check on.
Limit amount of data anonymous users can view. For instance, first 50 products.
This way everyone who wants to steal your data first need to get anonymous temporary token by filling in the captcha and change referrer.
Try with DunglasAngularCsrfBundle
I know this is a pretty discussed topic but i'm struggling in finding a solution for my case.
I have done an already working API service in ASP.NET (c# 4.5.1). My clients uses php pages to call a page.aspx on my server and sending via POST a string. This string contains an ID and a cypher message. Every user have a different key (AES 256) and, since i have the ID i get from my DB the correct key to decypher the message and do what its request contains. I also check the IP, every client have only a list of approved IPs (when they are not using the debug mode for testing)
I like this method but now i have to let my users do some purchases. I already implemented it (thank you PayPal) and it works, but i feel my security weak.
So i wanted to add some already known and already wrapped authentication system, without re-writing any of the already working and debugged code.
Since is used from lot of big internet services i thought about OAuth 2.0 (and i know nothing about it), but looks like everyone who talks about it is for creating a login that uses services like Facebook, Google, Twitter and go on.. not my case. I have my own database with my user list and i need to know with 100% security who is calling my API service.
I tried creating a new Web API 2 project (MVC.. damn) but i cannot understand if i can use for my service without rewriting the logic for API calling (and from what i saw looks like no is the answer)
So the question is: What authentication method can i use that is easy to implement without rewriting the already working code and can be usable from clients with PHP?
I was watching "ASP.NET MVC 5 Fundamentals" tutorial on Pluralsight by Scott Allen where he explains it quite nicely. But before watching that tutorial, for one App I worked on, we had a table in the database with tokens that were issues at Login. Then the client would send the token with their request. At server side, I did a custom attribute called [CheckToken] inside which I would check if the token exists in the database and if it is stil valid (not expired, etc.) I went a step further and sometimes swap the token so that even if the token gets stolen, it would not be valid for long. That way, the user does not have to keep login in all the time.
I have a PHP project on Google AppEngine which has grown popular among engineers in my community and I will like to open source it on GitHub so everyone can give a hand.
The main problem is that the code contains API keys which I want to keep secret but I don't want to remove it from the code so that people can test the code they write for the app before they commit, and I also want to be able to deploy the code directly from GitHub to GAE.
Is there anyway I can keep this API keys/passwords secret without removing them from the code?
In other words how do big companies like Facebook keep their DB passwords safe? So that not every engineer in Facebook can see the DB password in the code?
You cannot keep you id/pass in your code : No Good !
On AppEngine, you can define custom environment variables in app.yaml.
see : https://developers.google.com/appengine/docs/php/config/appconfig#PHP_app_yaml_Defining_environment_variables
It's far better for security.
I've been on this one for the last 2 days...
All I want to do is, with my username and password, access my Google Calendar events/calendars and create, edit or delete them with my PHP web application.
I've looked in the Google API, Zend Framework, OAuth 2.0 with google, etc and there is always a piece of information missing to make it work.
What is the quickest and simplest way, on a shared server to get to access my gcalendar? Is there a class/php function file somewhere that I can simply install in a www.websitename.com/include directory that will not make me want to pull my hair out?
I want to use already made functions like this : updateevent(username, pass, id, calendar, title, details, location, etc);
New APIs can be a little scary, especially to programmers who are still somewhat new to a particular platform. Google's Calendar API is very well-documented (like all of them) -- but you just have to read them. It's easy once you get used to it.
http://code.google.com/apis/calendar/v3/using.html
It basically involves this:
Acquire an API key
Include two files in your PHP code
Authenticate (steps up to this point only take a few lines of code)
Do what you need to do!
It's the only official and truly the easiest way to directly work with Google Calendar. What piece of information is still missing?
i have 2 sites (example.com, ex2.com). Fisical is a 1 site with 1 db. When user sing in ex2.com, he was sing in example.com too. How do this?
P.S. Can do this with ZF?
I found a very interesting article on this topic. The author gives some ideas how to implement Multidomain authentication.
http://codeutopia.net/blog/2008/09/25/sharing-authentication-over-multiple-sites-single-sign-on/
Have you looked into OpenID? You could lock OpenID consumer "ex2" to allow logins only from your "example.com" OpenID provider.
I am also digging the subject. Some time ago, I already did my own implementation and got it terribly wrong.
At the moment I am wondering whether to setup an own OpenID provider and locking consumer sites to accept only it. Another alternative would be yet another own implementation with a CAS style setup, where only a hash is passed via the browser, and the user verification is done server-to-server in the background using the hash as a disposable key.
I am not yet sure which one to pick or would some third alternative be better.
You could take a look into something like http://cosign.sourceforge.net/. Cosign enables you to create a single point of login for multiple sites. It's not specific to Zend but should work.