CodeIgniter Forums

CodeIgniter Forums > Using CodeIgniter > Best Practices > Secure my API connection with other websites
Full Version: Secure my API connection with other websites
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

ardavan

05-02-2017, 05:21 AM
Hi,

I'm using codeigniter-restserver library.

My goal is to give access to other websites to get some data from my DB.

So I need to secure my connection and make sure the website(which is willing to share with) access to my API.

I was reading the documentation and I found we can use rest_valid_logins by using username and password. but the thing is I want to make dynamic access to websites. I need to store accesses in my Database.

Then I found X-API-KEY which can store the keys in my database and give access to requests.

I would like to add another authorization to make sure the key is using only for one website not many. I want to check 2 things at the same time like X-API-KEY with the Website domain name.

How should I make this happen?

Thanks guys

xenomorph1030

05-02-2017, 06:10 AM
How would you validate that the API request is coming from a particular domain? Request headers can be modified as can query parameters. It seems like additional complexity that isn't necessary, though that is without knowing why you want to do so.


Let's say you figure that out, all you would need to do is override the _detect_api_key() function and add your additional code, so usually creating a class that extends the REST_Controller.

ardavan

05-02-2017, 07:28 PM
(05-02-2017, 06:10 AM)xenomorph1030 Wrote: [ -> ]How would you validate that the API request is coming from a particular domain? Request headers can be modified as can query parameters. It seems like additional complexity that isn't necessary, though that is without knowing why you want to do so.

I'm going to give them a piece of code.
The code will send POST request to my API along with X-API-KEY. so i can put additional info in to it as parameters such as Domain Name or IP whatever.

Why i wanna do this? coz i wanna give the access only to one of their website not they get one key and use it unlimited for any website they have.

So if i send the cURL which has X-API-KEY and domain name as parameters, how can i check it in the restful library, i mean where is the function that checks the X-API-KEY ? so i can extend

Thanks

Martin7483

05-03-2017, 01:46 AM
Maybe this can help you

REST Security Cheat Sheet

xenomorph1030

05-03-2017, 04:45 AM
Why couldn't the code you send them be modified? All of these measures to try to restrict items that are easily circumvented. I did a quick search and first result is this: http://stackoverflow.com/questions/61710...-by-domain. I'm only trying to point out that regardless of what you do, there is a way around it. Work smarter, not harder.

Moving forward, I mentioned which function you need to override. Add your additional logic there (checking for the domain) and your controller will extend this new class. If that column is in the same table as the API key and the domain and key are a one to one relationship, I would modify the code currently found on line 1028 to include the additional WHERE clause.
CodeIgniter Forums > Using CodeIgniter > Best Practices > Secure my API connection with other websites