How to authenticate that a request came from a website?
Question
I and a friend are building an API with a web front end. The web utilizes the API via Ajax requests to interact with the back-end. We would like to offer limited access to the API for people not using the website (you must pay a fee to use the API), but full unlimited access to anyone on the website.
Now the problem: We are struggling to identify which API call comes from where. Since the website uses JavaScript for the calls, the request appears to come from the user's IP. We thought about using unique tokens for each call or signing the calls, but JavaScript would expose the methods and keys used in both cases.
We are emphasizing on security, so we are searching for a robust solution.
Thanks in advance!
1 answers
solution1
0 ACCPTED 2020-03-19 17:52:23
We ended up settling for middleware in the login written in PHP. It generated an additional token valid for 24h and stored it in the cache. All requests made from the website utilize this token, so if it is not present then the request didn't come from said website.
The downfall is that you could theoretically fake the request by taking the token from the cache and use it elsewhere, but it would require to update the token manually every day.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.