I am working on a PHP REST API. I would like require a user key to access the API. I am not sure how to do this though, do I just issue a key and have them send it in a POST or with GET on each API request? Please help me explain in the simplest of terms possible if you can, I know this is something a lot of people want to do and it confuses a lot of people not just myself.
Also I would like to be able to limit usage, I was thinking of storing each hit in a MySQL database or something in Memory even. I just saw this in the header of a Github API request
X-RateLimi-Limit 5000 and X-RateLimi-Remaining 4996 and the number decreases by 1 on each hit, is this some kind of built in limiter?
Just require clients to register with your site,
create a record in your CLIENTS table, issue them a unique, non easy to guess id
then with each api access require that id to be included in request, either in GET or POST on in the header.
Validate it with every request, return error code if id is not present or invalid.
For rate limiting you are correct, you need to have a separate table for storing count of requests per client and then generate these response headers with X-RateLimit counters.
It's not that hard, really.
I wrote an API that does that for my project, you are welcome to look at the source code, it's in the Api folder, here
https://github.com/snytkine/LampCMS/tree/master/lib/Lampcms/Api/
and entry point to API calls is this
https://github.com/snytkine/LampCMS/blob/master/www/api/api.php
url for adding new app is:
http://support.lampcms.com/index.php?a=editapp
Related
I have a client that wants to take orders via an online form, with the idea being that an order can be submitted and stored in a database via my application while simultaneously generating an invoice on submission in QuickBooks.
How do I do this in PHP when the person entering in the order is not the client but a client of the client? It seems like Quickbooks uses Oauth tokens and a javascript library to generate them to connect a company to an app, but I'm simply writing a backend for one company and want that backend to create invoices when saving an order. How do I think about this?
I'm not interested in anyone having to hit a button that says "connect to quickbooks" especially not the person filling the order because again, that person is a customer and doesn't need to know about the internals of the customer's invoicing system.
I just really want to use the Accounting API to generate invoices. Is there no way to simply link my backend to my one company directly in the Quickbooks SDK configuration and achieve this, or do they need to use a javascript library to get tokens. I'm unclear about what direction I should be going in and don't want to waste time with a client-side library if I don't need it to do backend logic.
Here's some example code that does exactly what you're looking for:
https://github.com/consolibyte/quickbooks-php
Along with a quick-start guide:
http://www.consolibyte.com/docs/index.php/PHP_DevKit_for_QuickBooks_-_Intuit_Partner_Platform_Quick-Start
Also see notes about your comments below -- you're on the right track, you're just misunderstanding how OAuth works:
It seems like Quickbooks uses Oauth tokens and a javascript library to generate them to connect a company to an app, but I'm simply writing a backend for one company and want that backend to create invoices when saving an order.
Correct, Intuit uses OAuth, and a little Javascript thing to kick off the OAuth process.
I'm not interested in anyone having to hit a button that says "connect to quickbooks"
Someone needs to hit this button... BUT only ONE PERSON needs to hit the button ONCE, EVER, and then NEVER again.
The owner of the company (e.g. your boss) needs to click the button ONCE, which gives the OAuth creds (and the realm ID) to you. Once your boss has done this ONCE, then you have the creds to use forever, for all of the actual customers.
Your customers (e.g. the people actually checking out/placing orders) DO NOT click any buttons, nor do they see or have any idea at all that you're even using QuickBooks.
just really want to use the Accounting API to generate invoices.
Cool, you can totally do that!
Is there no way to simply link my backend to my one company directly in > the Quickbooks SDK configuration and achieve this, or do they need to use a javascript library to get tokens.
Follow the quick-start above. It should take you about 15 minutes to get a working OAuth connection, and then you never need to use the client-side stuff ever again.
You only need to authenticate every 180 days btw.
If you use the reconnect script, you only need to authenticate ONCE, and can automatically renew the tokens every 180 days, no user-interaction required.
https://github.com/consolibyte/quickbooks-php/blob/master/docs/partner_platform/example_app_ipp_v3/reconnect.php
Well with the realm_id for example, I don't understand how that relates to ouath.
The realm ID is just a unique identifier for the particular QuickBooks Online company you're trying to connect to. Yes, you need to store it. If you use our libs, this is done for you automatically.
I guess I don't understand if I'm developing for one client why can't I just get their realm_id from them and then keep using it rather than making them do some form of authentication?
Again, they only have to authenticate ONCE. That's Intuit's way of giving you the realm ID and credentials you need to connect. Once you've done it ONCE, you never need to do it again. It takes all of about 30 seconds.
If they were to just give you OAuth creds without any authentication, it would be a gigantic security hole. If you read the Wikipedia article on OAuth it talks in depth about this, and the goals of OAuth.
Okay I think I get it, so they have to authenticate once every 180 days?
Once every 180 days, UNLESS you use a reconnect script, in which case they just authenticate once and then never ever have to worry about it again.
So I can store the token and the realm_id in a database before it expires and just use that?
Yes.
In this way my client can authenticate and then my scripts can generate invoices for them when their customers visit our website?
Yes!
I'm using PHP and json to make an API and I would like to limit the access for it.
The most user-friendly way to do this (in my opinion), would be an APIKey for each user.
What I'd like to do is check who's using/requesting the json, and then I could check the site toward the key (I know how to do the last part).
(The key will be appended to site url ?key=KEY)
I have tried
$_SERVER['HTTP_REFERER'];
But apparently this would only show the last site if you're redirected to my site.
I hope this wasn't TOO subjective, and I don't really know how to explain this in any other ways. Hopefully someone could understand what I'm trying to do and maybe got a better solution?
I'm kinda new to making API's atleast limited ones.
Thanks!
The referrer is set by web browsers to give you the last page the user browsed before getting to your site. If you authenticate a site by using an API key, and this site embed the API key in their JS code so that visitors can access your API directly, rate-limiting by using both API keys and referrer will allow attackers to DOS your API until a specific site has been rate-limited (because the attacker know the API key, and the referrer can easily be spoofed).
I'm new to creating API's and I am making an API for my php site. Now in any case what I am currently doing is having my script do a cURL call to some php file which does all the processing. Aka im doing a POST call for example to an api file which lets say creates a forum post for that user. Now the important thing to me is how do I authenticate and retrieve which user is sending the data. So how do I know the cURL call came from my server?
What I was going to do is have my server have a secret key that is passed in the api call and verified by the api file. The api file would make sure the key is correct and then take whatever username was passed in for example to make a forum post. My only concern is if this key is ever found out im screwed. I also want to be able to have the site work lets say as an android app so I want to be able to make curl calls lets say (not sure if thats possible) and have some authentication key sent to my server but I never want the user to be able to packet inspect for the secret key.
So my question is how can I securely do curl calls, since when I do a curl call it doesn't read any of the $_SESSION values I have set (unless im missing something). Any help is much appreciated. I was also thinking of authenticating using the username and password each time the only problem is I kind of want to avoid having to verify that the username and password is correct every time an api call is done since thats going to be another query that has to be done. But if that is the recommended way or the industry way then ill do it that way. Just looking for how to handle everything the proper way.
You should look into implementing OAuth then.
I'm creating a PHP API for a website and I'd want to restrict the API access to domains that are registered on our server (in order to prevent abusing of API usage). So, this is my approach right now, and well, it should look pretty good on paper.
The API is setup at api.example.com.
A user that wants to use the API registers with us, adds his domain and gets an API key.
The user of the API will use his API key to encrypt his request data (via mcrypt) and sends it, via cURL to api.example.com.
My server checks from which domain this API request comes from and matches that domain to an API key in the database. If there is an API key, the API decrypts the request via mcrypt with that key and then using the same method encrypts and sends the result.
I'm stuck on step 4. Originally, I planned to use HTTP_REFERER to check it, but since cURL doesn't send one by default and it could be easily faked in the user-side code (CURLOPT_REFERER as far as I remember), I am stuck here.
Is there a method to know from which domain this API request comes from? I see that it can be done with some popular APIs like the reCAPTCHA one. Checking the _SERVER["REMOTE_HOST"] isn't really an option because of shared hosts (they have the same IPs) so this would not be able to prevent abuse (which would originate mostly from shared servers anyway).
Is there such a method to check for it? Thanks!
#Shafee has a good idea it just needed some tweaking. We're focusing on the visible part of the API call, which is the API key. This is visible in the URL and tells the API who is requesting the data. Rather than trying to prevent others from stealing this key and running their own cURL call with the domain they intercepted it from, we can 'just add' another key to the mix, this one not visible to those interceptors. I'm not saying stop checking where the request is coming from, it's still a good way to kick out invalid requests early on in the script, but with a second key, you guarantee that only the person requesting the data actually knows how to get the data (you're trusting them not to give it away to anyone).
So, when the user registers for a key, you're actually assigning two different keys to the user.
API_KEY - The public key that connects you to your domain. The system looks up the domain and key provided in order to find the next key.
MCRYPT_KEY - This is the key that will be used to actually encrypt that data via Mcrypt. Since it's encrypted data, only the requester and the server will know what it is. You use the key to encrypt the data and send the encrypted input with your API key to the server, which finds the key that it needs to decrypt that input via the API key and domain (and IP) that have been provided. If they did not encrypt the data with the proper key, then decrypting with the correct key will return gibberish and the json_decode() call will return NULL, allowing the script to simply return an 'invalid_input' response.
Ultimately with this method, do we even need to check where (domain/IP) the request is coming from? Using this method it really comes down to the API users not giving away their API/MCRYPT key pair to other users, similar to not giving away your username/password. Even so, any website can easily just go sign up to get their own key pair and use the API. Also to note, the API will not even return anything useful to their server unless the user on their end logs in using the correct username and password, so their end will already have that information. The only thing new our server is really returning is their email address upon successful validation of the user. Having said that, do we even need to use cURL? Could we not simply use file_get_contents('http://api.example.com/{$API_KEY}/{$MCRYPT_DATA}')? I realize I'm asking more questions in my answer...
You can varify what ip the request comes from, and you ofen can do a ptr search to get a domain name for that ip, but probely the ip adress have more then one domain, and you end up whit the wrong one, so i recomendate that the client send his domainname in the reques, maybe whit HTTP_REFERER, and that you make a dns check if that domain points to the ip asking for it, but notice that a domain, like google.com, can point to more then one ip.
(the ip could probely be faked to, whit some good hacking skill, but thats out of my knowledge)
How about introducing a second variable like lets say an app id. When a user registers her domain, associate this id with the domain. The user needs to submit the app id with each request without encryption along with the encrypted api call. Then you can look up the app id get the app secret and try to decrypt?
In order to best prevent abuse of your API, limit either the speed of requests, or limit the number of requests they can make. If someone is stupid and shares their API key, they'll only be limiting their own API usage, making it more economical for people who intend on abusing the API to get their own key.
Plus, what if someone decides to implement a desktop application using your API? Surely they won't require their users to send their IP addresses to them so that they can whitelist them?
Also, you can combine limiting speed/limiting requests, and limit speed based on the number of requests like how Verizon limits the speed of their 3G network if you pass a certain amount of data usage.
I am doing some benchmark testing on my web app and notice that the responses from Facebooks API are a lot slower than Twitters.
** For the record, I am using the twitter-async library for Twitter API integration and Facebooks own library here
With the Twitter library I can save an oAuth token & secret, I then use these to create an instance and make calls, simple. For Facebook, unless I ask for offline_permission, I must store an oAuth code and recreate an oAuth access token each time the user logs into my app.
Given the above I can:
Retrieve a Twitter users timeline in 0.02 seconds.
Get a FB oAuth Access Code in 1.16 seconds, then I can get the users details in 2.31 seconds, totalling 3.47 seconds to get the users details.
These statistics are from using functions Facebook has provided in their PHP API library. I also tried implementing my own CURL functions to get this information via a request and the results are not much better.
Is this the same kind of response times others are getting using the Facebook API?
Besides requesting offline permission and storing the permanent access token, how else can I speed up these requests, is the problem on my end or Facebooks?
Thanks,
Chris
I also have the experience the Facebook API is quite slow. I believe the facebook PHP API does not much more than wrap around CURL in the case of API calls so it makes sense that this didn't improve the speeds.
I work on a canvas page, which means for existing users, I get an access token and fb_UID as he/she comes in. At first, I did a /me graph call and sometimes a /me/friends. The first takes like 0.6 secs, the second usually a bit more. So in that case I can (to some extend) confirm your findings.
That's why I've now switched to storing important stuff locally and updating it only when needed (real time update API). Basically, I don't need any API calls during 'normal' operation.
I realize you are probably integrating FB on your own page, and perhaps use a bit more info than just name, fb-UID & friends, and that this solution is not totally answering your question. But perhaps it can still function as a small piece of the puzzle ;)
I am looking forward to other perspectives on this as well!
My application calls multiple URL's from Facebook. It does take some time :/
This is why I decided to write a function which stores the results in $_SESSION so I can use it again later, along with a timestamp to see if the data is too old.
This doesn't solve the actual problem, it just saves you having to keep fetching it.
What I like to do for end user experience, is forward them to page with a loading .gif - then have javascript request the page that actually fetches data. That way, the user remains on a loading page with a nice gif to stare at, until the next page is ready.