Limiting my RESTful API to just my application

Question

I recently started using BackboneJS and for a new project I need to access a MySQL database on a server I have full access to.

I've been reading up on RESTful APIs and now I want to set up one but I'm not quite sure about one thing: will other people be able to insert rows into my database via the RESTful API I will set up (using Slim)

I know it won't be possible using JavaScript/AJAX because of the same domain policy. But what if someone POSTs to the API using PHP/cURL or something similar? Will it be possible to insert rows using this method without me checking stuff on the server-side?

In short I just want to be sure I'm the only one that can insert (create, put, delete) things into the database, I don't really care about reading (get) but I'm guessing that if you can't insert you can't read either.

EDIT

Please note that this question is not about authenticating users, It's about whether others will be able to simply use my API using cURL or something similar.

http://stackoverflow.com/questions/319530/restful-authentication — Digital Chris, Mar 20 '14 at 18:27
**See edit**. As far as I've read, the answers to that question are about user authentication. I just want my application to be authenticated (and my application will have separate users). In short I don't want anyone else to be able to use the server-side part (API). — Cas Cornelissen, Mar 20 '14 at 18:38
In that case I'm not sure I understand your architecture. You have a server running PHP and another with a database? Or is that one server? You realize that Backbone is just a library for writing client-side javascript that will access your REST API done using some server side language right? — Digital Chris, Mar 20 '14 at 18:47
I have a server (PHP/MySQL) and a Backbone app (which will be located on the same server). I just want to be sure that it's not possible for others to do `POST domain.com/dog` and add a record via the API. Your like was a very interesting read, though! Thanks for that :) — Cas Cornelissen, Mar 20 '14 at 18:49
The way a RESTful service works is your users will make `get/put/post/delete` calls from their browsers with the help of backbonejs which is also run on their browsers. These calls are handled by the LAMP stack. The only way to control who inserts data is by authenticating them somehow. It is irrelevant if they POST from their backbone-enhanced browser or curl. — Digital Chris, Mar 20 '14 at 18:59
I think the thing that might be getting missed, or is unclear is, you mentioned running backbone on a server. So you are using server-side js with backbone? You are not worried about browser client hitting this API? If that is the case, you control both the client and server side of the equation, so you can control authentication using some shared key, protocol-level authentication (i.e. HTTP basic authentication), IP range restrictions, or a number of other options (or combination of options). — Mike Brant, Mar 20 '14 at 19:09
I'm sorry, I meant that the application is hosted on the same server. Backbone is running on the client-side. But the IP limiting suggestion below seems like a solution I would use. — Cas Cornelissen, Mar 20 '14 at 19:18

score 1 · Accepted Answer · answered Mar 20 '14 at 19:04

1

Limit your API to respond to only servers that are allowed. E.g: Limit the IP addresses that can use the API.

If your RESTful API and MySQL are hosted on the same server, you could limit the API to respond only if the requesting IP address is 127.0.0.1.

answered Mar 20 '14 at 19:04

viniciusmunich - AssabetTech

272
1
5
18

That's a great idea! Would it be possible to allow specific URLs, or are there security (or other) issues with that? – Cas Cornelissen Mar 20 '14 at 19:17
1

It depends on how you implement the solution above. If you limit the IPs that can use the API on a firewall, I don't think you would be able to allow only specific URLs, but if you can change the API code, you could make it check the user's IP on each request, and only perform an action if the IP matches with the allowed IPs. Then, you could make different conditions for each URL. I can't think of any issue that this setup might cause to you. – viniciusmunich - AssabetTech Mar 20 '14 at 19:27
Thanks for the information. I will accept this as the answer for now as it looks like this will work :) – Cas Cornelissen Mar 20 '14 at 19:30

score 0 · Answer 2 · answered Mar 20 '14 at 18:30

0

You will need to set up authentication so that only authenticated users can use the Restful interface. Then as long as you don't give your credentials to anyone, you'll be the only one who can use it.

answered Mar 20 '14 at 18:30

Warren Dew

8,790
3
30
44

I'm not sure if I understand correctly, but are you saying it's impossible (or hard, at least) to allow only one Backbone application to use the API? – Cas Cornelissen Mar 20 '14 at 18:35
1

By the time the restful request gets to the server, it looks the same no matter what client application it originally came from - it's an HTTP request. The only thing your restful server can do to reject some requests and not others is to examine the source IP, as viniclusmunich suggests, or to check the request itself for some data that identifies it as a request that should be accepted - that is, authentication data. – Warren Dew Mar 20 '14 at 19:53

Limiting my RESTful API to just my application

2 Answers2