Jump to content

API Security

The Little Guy

By The Little Guy
in Javascript Help

 Share

Recommended Posts

The Little Guy Prolific Member

The Little Guy

Posted
Posted

I am try to make a javascript API, and I only want the site that register on my site to be able to access the API.

 

So, for example:

http://example1.com  - A pretend registered site

http://example2.com  - A pretend non-registered site

 

so, example1 one signs up and creates 2 hash codes to use that get validated on my server against the domain name. To make sure their site is a valid site, they need to pass to my API: the domain, and the two hash codes, which must match in the database. The problem is that you can view the source so the owner of example2.com can get the hash codes really easy, so all you need to do is use those hash codes, and modify the domain it is coming from, and now example2.com can get data as if they were example1.com.

 

Any ideas how I can make it so only the domain that runs the code can access the data?

 

What this is:

 

The site is an indexer, it indexes site data and when you do a search from your domain with your two codes it get all pages related to the search that are registered under your domain.

 

Does that all make sense?

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

You need to keep in mind that the user's browser is running the code, not the domain.

 

Possibly the best solution is to include a time-sensitive component in two parts of the URL: as a parameter itself as well as a part of the hash provided.

/javascript?time=1234567890&hash=123qweasdzxc

The hash is actually a function of something (identifier, other hash, whatever) and the time. It could be as simple as

hashing_function(time() . $hash)

The remote server (yours) checks (a) that the time is close enough to the current time and (b) that the expected hash value, computed independently, agrees with the given value.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

You need to keep in mind that the user's browser is running the code, not the domain.

 

Possibly the best solution is to include a time-sensitive component in two parts of the URL: as a parameter itself as well as a part of the hash provided.

/javascript?time=1234567890&hash=123qweasdzxc

The hash is actually a function of something (identifier, other hash, whatever) and the time. It could be as simple as

hashing_function(time() . $hash)

The remote server (yours) checks (a) that the time is close enough to the current time and (b) that the expected hash value, computed independently, agrees with the given value.

 

I don't understand how this couldn't also be reproduced.

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

If they reproduce it exactly then it will only be valid for a short period of time. Afterwards your server will reject the request.

Otherwise they can output the right time but won't be able to generate a matching hash.

 

Also keep in mind that someone could simply replicate the actual JavaScript code you output...

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

They can. But they can't get the right hash. Referring to the example code I posted, they can know the time() but they can't know the $hash.

 

[edit] There are two "hashes" here.

$public = hashing_function(time() . $private);

The $public is the one used in the HTML and in the URLs. The $private one is kept secret. Any site that wants to copy the URL can copy the $public, but once the time() changes enough it will become invalid; they can't generate a valid one because they don't know $private.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Of course the determined abuser could just cURL the server to get the API key whenever he wanted to. ;D

You won't be able to deter a determined user when you're dealing with client-side JavaScript code. You can make it annoying and time-consuming, but not impossible.

 

Indeed. And the more annoying and time consuming you make it, the more the person probably wants it - just so they can spite you.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.