2

I am allowing user to login to my site on the basis of one time password send to the users mobile number.

My problem is that i am doing Api call to send otp to user's mobile number using jquery ajax. Now anyone can see the api call and make infinite api request to my server which will expire my sms pack immediately.

How can i avoid such abusive use of API call?

Lokesh Harjani
  • 119
  • 1
  • 9

3 Answers3

0

You should authenticate the API request to your server. I'm asuming the server is under your controll.

One idea might be to use JWT => https://jwt.io/

And of course use HTTPS on your server.

Thargor
  • 709
  • 5
  • 19
0

Rails already has CSRF protection. You need to enable them for your AJAX requests. When you enable them, no one else can repeat your AJAX call without your CSRF token which is regenerated for every web request.

Other options include rate limiting your API requests from the same IP using rack-attack.

Community
  • 1
  • 1
Raj
  • 22,346
  • 14
  • 99
  • 142
  • But attacker can easily copy the authenticity_token field and use it to make API call. please explain how crf protection will protect the abusive use of api call. – user2274074 Apr 19 '16 at 17:39
  • CSRF token is valid for only one request – Raj Apr 19 '16 at 18:05
  • i opened a form in a new tab and paste the old authenticity_token into this form and submitted the form. in this case record is created. but when i opened the same form in new incognito window or in another browser and paste the same authenticity token again then it is giving error as "InvalidAuthenticityToken" error. does it mean that authenitcity_token of one browser cannot be used in another browser?? where does rails store authenticity token?? – user2274074 Apr 19 '16 at 18:18
  • I think the Rails guide has all the details - http://guides.rubyonrails.org/security.html – Raj Apr 19 '16 at 19:00
0

Providing some authentication mechanism should work. This way , any person trying to hit your API will have to be logged in. Store the authentication token in session and verify it on server-side. Also there are other techniques like using API secrets/keys. Kindly check the link below : https://stormpath.com/blog/secure-your-rest-api-right-way/

Jaydeep Valecha
  • 97
  • 7
  • This will now work for me because i want to prevent abusive use of my API which itself provide authentication mechanism. – Lokesh Harjani Apr 19 '16 at 12:29
  • A login/password or certificate authenication is mandatory before an SMS OTP. OTP are generally used for risk based transactions.Risk can be user information risk or financial transaction risk. A normal login/password authentication before that step should help. – Jaydeep Valecha Apr 19 '16 at 12:52