2

I might me wrong, as I am very new to API Key fundamentals. Please correct me if I am wrong.

I have a JavaScript front-end, and a backend application in PHP(can be any technology). I want to expose some API from the backend application for AJAX. So that a third party developer could use my API from their application without worrying about the actual implementation on backend.

I will expose an API Key to the developer, so that whatever request he makes from his application, uses the API key and I can keep a record of which API key is accessing the application.

As it is an AJAX call to the server, he has the API key stored in the JS file that I'll give.

The Question is: If someone would use seek into the JS file he has, one could easily get the API key which was designed for some other application. How should I implement this in a secured manner.

Can anyone help.?

Veer Shrivastav
  • 5,434
  • 11
  • 53
  • 83
  • You could build a relation between referrer url(which API calls originates from) and the key you provided. – JuniorDev Apr 29 '15 at 13:03
  • can't that be faked..? It's a packet data, you can change it using WireShark. As well suppose if the person has PhoneGapped a JS Application, then?? – Veer Shrivastav Apr 29 '15 at 13:05
  • A completely pure JS application is nearly impossible to secure by your standarts. Perhaps you could build a token based approach, first login/handshake and send a key with very short validity, to be included in each subsequent API calls. You can also lookup how Facebook handles these situations on their API. In their case, JS apps don't need secure key, only appId. – JuniorDev Apr 29 '15 at 13:14
  • 1
    You cannot. To make it secure in the browser, you have to add security headers, and probably use CORS if they are on different domains. Ofc. you have to check the domain of the request. I think that's all you can do. Every request coming from the browser, can be faked. – inf3rno Apr 29 '15 at 15:47
  • @inf3rno: how do you implement security headers? – Veer Shrivastav Apr 30 '15 at 03:28
  • https://github.com/twitter/secureheaders https://www.owasp.org/index.php/List_of_useful_HTTP_headers – inf3rno Apr 30 '15 at 04:24

1 Answers1

1

Plain javascript is not possible to hide from the end-user since the end-user is the one executing the code.

You can use obfuscated javascript but then again there is always the possibility of reverse-engineering.

Volkan Ulukut
  • 4,230
  • 1
  • 20
  • 38
  • That's what I was thinking. But then how would you make a request to certain API with API keys using an AJAX call.? – Veer Shrivastav Apr 29 '15 at 13:20
  • You don't. You use server based code to retrieve API response – Volkan Ulukut Apr 29 '15 at 13:26
  • Din't get you... Do you mean AJAX should not call the API instead, the API should be accessed via another server side code, like CURL.? – Veer Shrivastav Apr 29 '15 at 13:42
  • 1
    What I mean is, you don't store sensitive information in javascript code. So if you don't want your API to be abused by other non-authorized users, you should ask third-party developer to use server side script (like PHP) to post data to your web service, not ajax. curl or file_get_contents can be used in PHP to simulate ajax request. – Volkan Ulukut Apr 29 '15 at 13:44
  • Hey.. see [this](https://developers.google.com/api-client-library/javascript/start/start-js), they are using API key in JavaScript. That's what something I am looking for. They are authenticating the application right.? How are they doing that.? – Veer Shrivastav Apr 30 '15 at 13:07
  • They use API key for "API calls that do not access any private user data" they know API key might be stolen. So they use OAuth2.0 for sensitive information. This requires the user to log in their site first (google plus) get permissions then return to original site just like facebook login handles logins. – Volkan Ulukut Apr 30 '15 at 13:15
  • When you use google, linkedin, facebook login, you'll notice that they return users after login, with a code parameter to identify them in javascript for a limited amount of time. its a token based approach. for that to happen you'd need to login users to your site first – Volkan Ulukut Apr 30 '15 at 13:17
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/76646/discussion-between-veer-shrivastav-and-volkan-ulukut). – Veer Shrivastav Apr 30 '15 at 13:20