stackoom
  简体   繁体   中英

Secure rest api node js

 原文  2021-12-08 21:45:09       node.js/ express/ security

Question

I would like to expose a problem to which I just cannot find a solution, although I have been informed several times on the web, the resources I find do not satisfy my curiosity.

The question is the following:

Suppose we have a rest API in node js (express) on the following endpoint -> / stars. Suppose we want to sell this API with the endpoint/stars to a certain target of customers, the endpoint will therefore only allow customers who buy the API to use it. The problem arises spontaneously, let's suppose that the pizza company buys my API and that I generate an access token for them, then they would call my endpoint with their token to have the resource, so far very good. However, all the requests are easily visible.

Example Chrome> dev tools> network and I see not only the endpoint with the full address, but even the payload that is passed!

So as an attacker I could very well (without paying the API) catch the pizza industry using the endpoint/stars with a token, copy everything and slap it on my services by providing the same token and the same endpoint. I already know the existence of tokens like jwt but they don't solve the problem anyway, as that different token only has the expiration. Even if it expires after 15 minutes or after 3 minutes, just retrieve another one and provide an identical request with the same token, would anyone be able to direct me to a solution?

The only one I've seen to find a solution to this is Instagram that sends behind a payload of thousands of lines, is it really the only method?

note: it is not even public.

3 answers

solution1
 0  2021-12-09 04:51:12

@xVoid

  1. The first thing you can set an encryption/decryption module for your response data with the help of the crypto module in node.js, Here you send encrypted response and the your API client decrypt your response and use it.

  2. You can set a key for your API it means every time your client or user send you a request they have to send that key in the body , not header so other people can't get your data because they don't have that key, and in express you can set middleware to validate this key is exist or not if not simply return "You are not authorized"

If you aren't getting any point or you want to go deep on particular thing just let me know

solution2
 0  2021-12-10 05:48:19

You may simply use http-only cookie and send the token in cookie, instead of normal header

solution3
 0  2021-12-10 06:22:50

A costumer using your endpoint should not be sharing their API keys with the end-users.

This means that any costumer using your service should create at least a proxy server to your specific endpoint.

CLIENT GET /pizza FROM COSTUMER -> COSTUMER GET /pizza?apiToken=<...> FROM SERVICE

Obviously there can be a man in the middle attack between the COSTUMER and your SERVICE but that's is unlikely to occur using SSL (Related: Are querystring parameters secure in HTTPS (HTTP + SSL)? )

If a COSTUMER suspects that their api key was leaked they should revoke it and request a new one to your SERVICE.

solution4
 0  2021-12-11 13:54:42

Of course, but if I had for example an API that shows football information (ONLY to logged in users) it would be enough to log in, even with a recaptcha, take the cookies and paste them on a python bot, call up the endpoint where the API returns mine football data and have them available everywhere, it is true that the jwt expires, it is true that the sessions in php expire, it is true that the cookies are protected, but if I have the endpoint / getInfoFootBall accessible by passing the cookies ^ + My API access token

  1. My API access token will definitely be public in requests.
  2. I can safely generate cookies by first logging in manually and then setting them on my python bot and putting them in the https request data result: I had access to the API even if for a few minutes (But I did...) - NB: putting a recaptcha at login only minimally solves the problem, because if I log in manually on the site and insert the my cookies on the python bot, however I will have a request that will be successful, I know perfectly well that private info such as users' phone numbers or passwords are always protected, as the endpoint is never seen by users (because most of the time it is called up from the admin panel, so unless the admin wants to violate itself it would not make sense), but the fact that I can still access a resource, which may have even been sold for 15 minutes, creates discomfort, If the token is not public there will certainly be a file that will start the request at a point where perhaps with axios the request to the API server will be made, even here we have a problem, maybe the axios request will be invisible, as it is done from there to server (I say axios to give an example), but it would be enough to call the endpoint that calls the file with server-side axios to access anyway... There is no way to tell an API if the domain is www.siteofbuyer.net then accept the request, otherwise discard it?

(Mine might just be a useless paranoia, but in fact the system I describe works)

I am writing here because it was too long for comments

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to implement a secure REST API with node.js How to secure an open REST API from abuse in Node.js? How to secure node js API How to secure Node.js connect-rest REST API with OAuth? Best way to secure a rest api in node? Approaches to make Node js-Express Rest api from mysql secure/Authenticate How to pass a client certificate/key from Node.JS AWS Lambda to a secure private REST API? Mongodb node js Rest api REST API node.js Openfigi REST API in node js
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM