I am developing a PHP API for any website and I'd wish to restrict the API use of domain names which are registered on our server (to be able to prevent mistreating of API usage). So, this really is my approach at this time, and well, it will look very good in writing.
- The API is setup at
- A person that really wants to make use of the API registers around, adds his domain and will get an API key.
- The consumer from the API uses his API answer to secure his request data (via
mcrypt) and transmits it, via
- My server inspections that domain this API request originates from and matches that domain for an API type in the database. If there's an API key, the API decrypts the request via
mcryptwith this key after which utilizing the same method encrypts and transmits the end result.
I am stuck on step four. Initially, I planned to make use of HTTP_REFERER to check on it, consider cURL does not send one automatically and it may be easily photoshopped within the user-side code (CURLOPT_REFERER so far as I recall), I'm stuck here.
It is possible to approach to know that domain this API request originates from? I observe that it is possible with a few popular APIs such as the reCAPTCHA one. Checking the _SERVER["REMOTE_HOST"] is not really a choice due to shared hosts (they have a similar Insolvency practitioners) which means this wouldn't have the ability to prevent abuse (which may originate mostly from shared servers anyway).
Can there be such a means to check for this? Thanks!
@Shafee has advisable it simply needed some fine-tuning. We are concentrating on the visible area of the API call, the API key. This really is visible within the URL and informs the API who is asking for the information. Instead of attempting to prevent others from stealing this key and running their very own cURL call using the domain they intercepted it from, we can 'just add' another answer to this mixture, that one not visible to individuals interceptors. I am not to imply stop checking in which the request is originating from, will still be a great way to remove invalid demands in early stages within the script, however with another key, you guarantee that just the person asking for the information really understands how to obtain the data (you are having faith in them not allow it off to anybody).
So, once the user registers for any key, you are really setting two different secrets towards the user.
API_KEY - The general public key that connects you to definitely your domain. The machine looks in the domain and key provided to be able to discover the next key.
MCRYPT_KEY - This is actually the key that'll be accustomed to really secure that data via Mcrypt. Becasue it is encoded data, just the requester and also the server knows what it's. You apply the answer to secure the information and send the encoded input together with your API answer to the server, which finds the important thing that it must decrypt that input through the API key and domain (and IP) which have been provided. If they didn't secure the information using the proper key, then decrypting using the correct key will return gibberish and also the
json_decode() call will return NULL, permitting the script to merely return an 'invalid_input' response.
Ultimately with this particular method, will we even have to check where (domain/IP) the request is originating from? That way it comes lower towards the API customers not offering their API/MCRYPT key pair with other customers, much like not offering your username/password. Nevertheless, any web site can certainly go join obtain own key pair and employ the API. And to note, the API won't even return anything helpful for their server unless of course the consumer on their own finish logs in making use of the right password, so their finish will curently have that information. The only real factor new our server is actually coming back is the current email address upon effective validation from the user. With that said, will we even want to use cURL? Could we not merely use
file_get_contents('http://api.example.com//')? I recognize I am asking more questions during my answer...
You are able to varify what ip the request originates from, and also you ofen can perform a ptr search to obtain a domain reputation for that ip, but probely the ip adress convey more the other domain, and also you finish up whit the incorrect one, and so i recomendate the client send his domainname within the reques, maybe whit HTTP_REFERER, which you are making a dns see if that domain points towards the ip requesting it, but observe that a website, like google.com, can indicate more the other ip. (the ip could probely be photoshopped to, whit good quality hacking skill, but thats from my understanding)