0

I have some REST API's deployed on api.xyz.com now I wants to allow all API's accessible through Authorized mobile devices and My domain only xyz.com.

If i set allow origin headers to my site then API stops responding to Mobile devices.Please suggest if its possible.

Also when I try to get consumer IP address in REST API call then it always return my API server public IP in $_SERVER[REMOTE_ADDR] instead of client IP address.I also tried to get consumer IP address but no success.

        $ipaddress = '';
        if (getenv('HTTP_CLIENT_IP')) {
            $ipaddress = getenv('HTTP_CLIENT_IP');
        } else if (getenv('HTTP_X_FORWARDED_FOR')) {
            $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
            if (strpos($ipaddress, ',') > 0) {
                $addr = explode(",", $ipaddress);
                $ipaddress = trim($addr[0]);
            }
        } else if (getenv('HTTP_X_FORWARDED')) {
            $ipaddress = getenv('HTTP_X_FORWARDED');
        } else if (getenv('HTTP_FORWARDED_FOR')) {
            $ipaddress = getenv('HTTP_FORWARDED_FOR');
        } else if (getenv('HTTP_FORWARDED')) {
            $ipaddress = getenv('HTTP_FORWARDED');
        } else if (getenv('REMOTE_ADDR')) {
            $ipaddress = getenv('REMOTE_ADDR');
        } else {
            $ipaddress = 'UNKNOWN';
        }

Please suggest why it always give my server public IP even IF i hit api through my machine.

Thanks

coder
  • 283
  • 4
  • 26
  • you invariably CAN'T get the user's actual ip address, especially if it's a mobile device. those are almost ALWAYS behind a NAT gateway and the only IP you'll get is the gateway's. – Marc B Jul 21 '15 at 14:50

3 Answers3

1

I would suggest securing your REST API via access tokens. I just did something similar for a REST API I created. There are lots of great articles available for "secure REST API". Below is a link to one I found particularly useful. I highly suggest using HTTPS to help secure your API as well.

https://stormpath.com/blog/secure-your-rest-api-right-way/

iDimensionz
  • 25
  • 4
1

This is how you normally check for the real visitor IP: 

if (!empty($_SERVER["HTTP_CLIENT_IP"]))
{
 //check for ip from share internet
 $ip = $_SERVER["HTTP_CLIENT_IP"];
}
elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{
 // Check for the Proxy User
 $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
}
else
{
 $ip = $_SERVER["REMOTE_ADDR"];
}

// This will print user's real IP Address
// does't matter if user using proxy or not.
echo $ip;

This REST API Authorization & Authentication (web + mobile) might come handy.

Community
  • 1
  • 1
John Smith
  • 465
  • 4
  • 15
  • 38
  • I try setting up header("Access-Control-Allow-Origin : http://example.com") on my API domain but it still allows when i hit from other origins and return response. Why its not blocking other origins when i allowed only example.com – coder Jul 22 '15 at 11:17
1

Definitely the way to go is to create Tokens, either Session Tokens or Access Tokens. We used Session Tokens with the WealthEngine API (http://dev.wealthengine.com/api) specifically so that they would timeout. At a recent API event David from ProgrammableWeb had a great demonstration on how easy it is to Sniff Tokens and Secrets from Mobile Apps on the Android platform. This is exactly why you would want those Tokens to expire.

TJ WealthEngine API Evangelist
  • 1,128
  • 8
  • 12