English is not my first language. I'll do my best to explain my self.
I am creating an API to be used by clients via Javascript. The client should include on his website something like this:
<script>
var my_api = {
public_key: "123456"
};
</script>
<script async src="https://api.example.com/v1/init.js"></script>
So... how can I use a Public Key to verify the client's website?
I know I can get the referer and compare it in with the key on my database, but:
(a) If the referer may be faked, a public key won't be useful because is already public
And (b) if the referer can't be faked, Why would I use a public key? Is not enougth with the referer?
I can't ask the client to encrypt something to varify if he have the right key if anybody can knows the key...
I have only created APIs with both private and public key (or only private) in the past.
Finally, I want it all be installed on client's website by copy/pasting few lines of JS code (that's why I want only use public key).
I know it is possible because that's how Google Ads works, I just need help to figure out the way.
Note: I searched for other topic on the forum but I couldn't find any answer, just thing related the SSH and nodeJS. I am developing a simple API with PHP and pure JS.
The problem that you might run into with putting the api key on their website is that it could be viewed by anyone and used. Use a Process environment variable on the system they are using to host their site. You can use this resource for information: https://hackernoon.com/how-to-use-environment-variables-keep-your-secret-keys-safe-secure-8b1a7877d69c
Related
I'm in the process of setting up server-to-server auth for my react app to be able to pull data from the Google Spreadsheet API without the user having to authenticate.
I'm going through the docs: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I'm having an issue with this bit:
Sign the UTF-8 representation of the input using SHA256withRSA (also known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with the private key obtained from the Google API Console. The output will be a byte array.
What would this look like using javascript?
I've got the private key from my Google API console, and i've got the UTF-8 representation of the input ready to go.
I'm just not sure how I go about signing it using SHA256withRSA with the private key.
Thanks!
Okay, so you've got all the ingredients, now you just want to make the product!
Here's how you can sign input:
Use the crypto lib: https://github.com/thenativeweb/crypto2
Find the correct hashing algorithm (they are listed on there github) and away you go. Here is an example
crypto2.sign(YOUR_INPUT_HERE, your_private_key, (err, signature) => {
console.log (signature); // View the contents
});
I am creating a SPA blog website with PHP/MySQL and a Javascript frameworks, still haven't decided which one yet.
The idea is that I am willing to create an API and consume it using Javascript, but I want to protect the API, so that no one can access /posts/ for example and get a list of all the posts.
I am not requiring any registration and I don't have a users system.
How would I go about it?
Thanks
You might be able to hard code whitelisted IP addresses, but as Steve pointed out in the comments: it's either public or it's not.
I'd go with some little registration functionality that generates API-keys that can be used to access your API.
It has been pointed out that a public API is public, however there are some steps that could take to make it more difficult for consumers other than your UI to access it.
The problem is akin (though not the same as) Cross Site Request Forgery, and you can use a variation of any of the prevention techniques listed to mitigate unauthorized access to your API.
The simplest implementation might be something like this:
index.html
<?php
$mytoken = uniqid();
$_SESSION['token'] = $mytoken;
?>
<input type='hidden' name='apitoken' value='<?= $mytoken;?>' >
some-api-endpoint.php
<?php
if($_GET['apitoken'] !== $_SESSION['token']) {
header("HTTP/1.0 403 Forbidden", true, 403);
}
If someone wants to access your public API, they will be able to, but they will have to put forth at least a little bit of effort to do so.
Using a JWT service will work just as well.
Have a look here: introduction to JWT
You can also use an api key and secret which will be passed on initial session auth for your service.
Here's a Stackoverflow answer that helps explain what you'll need to do: key and secret in php
If you're really lazy, you can just use basic authentication or digest auth to auth on the client side. (This is not advisable and has security risks as if you're not using ssl the passwords are passed as plain text in the request)
Another article for your information: PHP HTTP Authentication
I want to configure my Node app to decode public key encrypted messages POST'ed to it using its private key. The private key is in PEM format.
I wanted to use a javascript only solution on the server side for maximum portability (hence ursa is out), this appear to leave node-bignumber ( on the phone app side, I will be using C# and probably something like Scrypt). The single example given for node-bignumber seems to work well so long as yo use the Key method to generate the certificate, however I already have certificates (the public one installed in my phone app and the private one used by my server) - how do I get this into a format recognised by the the library?
I admit I am totally new to NodeJS and javascript and would greatly appreciate any more general advice you may have in providing backends for phone apps ...
I'm new to coding for Facebook, but I was wondering if there is a way to access public information for users listed in the public directory without writing an application that they use? I code mostly in perl.
Cheers.
What do you mean by "public directory" ?
You can use the graph.facebook.com sub domain to access the public infos in REST.
http://graph.facebook.com/userID or PageID
Example : http://graph.facebook.com/nike
I'm trying to find out if there is a way to use SignalR and be notified (in real-time) if a visitor has pushed a button on another site (different domain). First off, is SignalR the best way of doing this? Second, I have all the Javascript logic to find out if the visitor has actually clicked the button of interest but don't know how to relay that message to my server (where the real-time tracker will be).
Second, There is no way of knowing what kind of technology (php, asp.net, regular html) will be running on the other end of the where the signal will be generated, will this be a problem?
Lastly, the biggest reason why I would like to use SignalR (other than to start using it and learn it :) ) is so that I can have near real-time reporting of the activity on the dashboard. If there is a better solution (other than regular javascript polling and updating) by all means please let me know.
I guess by these questions you can easily find out that I'm a newbee in the SignalR world and would need as much help as possible as this is going to be my first project in this field.
You can use SignalR self-hosting server for this. self host example I use this to have multiple clients to access the same Hubs and thus receive notifications from other clients/sites.
Here is an example of what my self hosted main looks like:
using System;
using System.Configuration;
using System.Diagnostics;
using SignalR.Hosting.Self;
namespace SelfHostedSignalr
{
class Program
{
static void Main(string[] args)
{
Debug.Listeners.Add(new ConsoleTraceListener());
Debug.AutoFlush = true;
string url = "http://localhost:8081/";
var server = new Server(url);
server.MapHubs();
server.Start();
Console.WriteLine("Server running on {0}", url);
while (true)
{
ConsoleKeyInfo ki = Console.ReadKey(true);
if (ki.Key == ConsoleKey.X)
{
break;
}
}
}
}
}