api-key for client-server communication and security
Question
i need some advice. i want to build a JS app that will run on a client browser and communicate with ajax with my server. the problem is that i want to give this client some api-key so i can authorize it on my server. security wise its a problem because as long that this key is sending through the ajax call, anyone can replicate this call. i don't want to ask the client to create some proxy server and "curl" the request. i want it to be directly from the client to my server. what is the best practice for that except verifying the client by his IP or domain?
2 answers
solution1
1 2016-03-18 20:46:18
You could use something like a JWT .
You create an authentication object
{
apiKey: asd-dfgdf-e3234, // not even necessary (read on)
expires: 12213493434,
ip: "x.x.x.x"
}
You base64 encode it and then sign it with a private key (or hash function on your server) and attach the signature as a base64 string to the "payload".
eyBhcGk6IDEyMzQ1LTU2Nzc4LCBhcGk6IDEyNy4wLjAuMSB9.Tm90IFNlY3VyZSE=
| -------- payload ----------------------------| -- signature -|
Pass this to your client. Every request sends this token. It can be examined and verified to be tamper free (match the requesting IP no key necessary).
solution2
0 2016-03-18 20:01:57
Sadly, you can only check the Referer header, and issue API keys with a whitelist of allowed referers.
The main issue here is Referer isn't secure at all: it can be changed. That is, anyone can impersonate a client...
AFAIK, the point is your clients should be able to re-create their API keys, and they should do it once they've realized that someone is impersonating them. And they should keep re-re-re-creating until the bad guy stops impersonating them...
Make it as hard as possible...
One possible approach to make things harder to unwanted clients impersonating actual clients can be using access tokens with expiration.
Also, a good practice can be that one client can request a limited number of access tokens everyday. If these access tokens have a 24 hour expiration time, and there's a limit of 3 or 4 access tokens per API key and per day, if many bad guys try to impersonate one of your clients, well, only 3 will be able to do so.
You can also define a limit of an access token per day. This could make things even harder.
BTW, you can argue that anyone can steal the whole access token too. Well, this is the time to re-generate the API key and get a new one. Finally these bad guys will get tired of getting their access tokens invalidated...
Best solution
Actually, if your API needs to be secure and it's private as you've said in some of your comments on my own answer, there's no choice here: you need to go the server proxy way .
I would check node-oauth2-server to use OAuth2 to secure your API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.