Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Ivan Vorobei2016-05-06 11:16:07
RESTful API
Ivan Vorobei, 2016-05-06 11:16:07

How to protect REST API from invalid requests?

I have:

  • Rest API on Lumen
  • HTTP S connection
  • Basic Authorization: Sent in the login+password header, the response is JWT with acsess_token (for each request with a short lifetime) and refresh_token (to get a new acsess_token)

Required:
Implement a request validation architecture. Those. to know that the request came from "its" client (by client, I mean a mobile application). So that schoolchildren could not send requests with pens in the browser) It turns out that a request from a client must be identified according to two points:
  1. The request came from a valid client
  2. The request came from a valid user

It was possible...:
The idea was to make two headers in the header, and pass two tokens into them: one issued to the client, the second issued to the user. But two cannot be, and in url to transfer - a crutch.
UPD: Two headers are possible, parsing them is not a problem. But is this a good solution?
b2542ce1c12d49a2ae78cf3c4a587a0b.png
Bottom line:
How to do client validation without crutches?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
X
xfg, 2016-05-06
@ivanvorobei

Everything that is done on the client side can be parsed and secret information can be pulled out. Therefore, any application running on the client side is, by definition, insecure and there is no point in authorizing it. This can be faked.
What you want can only be done with server-side clients.
I think you should rethink your task again. Perhaps it is worth describing the situation in more detail, why you are trying to combine an incompatible, on the one hand, a closed API and, on the other hand, a public mobile application.
It doesn't work like that. There are two options to choose from:
1. Public API -> Public Client (runs on the client).
2. Closed API -> Closed client (runs on the server).

Report
A
Airat1995, 2016-05-06
@Airat1995

It is possible to use the phone's IMEI to check if it is a phone. Here is the IMEI base and API for it www.imei.info/api/imei/docs However, there are programs for replacing IMEI, as well as for generating it.

Similar questions
S
Stepan2015-12-22 09:06:37
How to make HTTP PUT request via terminal? 2Reply
P
P_Alexander2018-05-05 23:45:48
What is the working principle of JWT authentication? 1Reply
N
Nastya19202020-06-08 06:15:09
How to pass body to servlet response and get it in another service? 0Reply
R
Romi2021-08-26 16:16:00
Where can I get ready-made yaml for Swagger, which contains paths and some simple API for Laravel Resouce route? 0Reply
D
de_iiah_teji9_iiace2018-05-21 12:13:49
What's wrong with the serializer? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question