Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
jieggii2020-02-12 20:02:09
API
jieggii, 2020-02-12 20:02:09

How to protect the service API from fake requests?

So, we have:

  • API
  • Client application (VK Mini App), which is nothing more than a user-friendly interface that implements API functionality


We have a user who has user_id.
The API has a method someAction.performthat interacts with the database and changes something there. I need to somehow check that this request was sent by this user, namely through the client application, and not some villain who sends requests with curl and substitutes someone else's user_id. I also want to emphasize that I work through VK, so my users do not have passwords or logins in my service, and that the client application can be easily reverse engineered.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
S
Sergey Sokolov, 2020-02-13
@jieggii

Read the documentation for VK Mini Apps, section Signature launch options . There are also links to examples of the implementation of signature verification.
The user comes with a bunch of parameters , including the user_idrequest signature sign, which you need to check on your server. It is tied to the "secret" of the application.
So you can make sure that the right user came and the parameters were not faked.
Further, the same parameters can be passed with each API request, and checked again in the handler.
Or, a little more difficult, generate a temporary unique key, store it in your database / Redis, and pass it in the headers of all API requests.

Report
D
Dimonchik, 2020-02-12
@dimonchik2013

not to get up twice

Report
X
xmoonlight, 2020-02-13
@xmoonlight

It is necessary to associate the user and the secret key for signing requests using a third-party responder.
Check: is it possible to transfer data around the ring: your service -> application -> vkAPI -> and .. bouncing vk to your service, bypassing the client?
If it's possible, you can sign your requests and check the signature against vk response/responder for a particular user (only you know the secret key, and only VK knows the user).
No other way.

Similar questions
S
SemyonDyachenko2019-10-31 18:38:07
How to scale pixelart in sfml? 2Reply
A
Artur Lastname2019-11-22 08:32:03
How to disable all OTHER handlers on a js/bitrix element? 3Reply
L
llCorvinuSll2014-05-19 13:21:15
pony express tracking API? 2Reply
P
pavelsokg2022-01-26 10:06:03
The user's balance is not replenished, what's wrong? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question