0

I'm building an API where unauthorized access can be denied along the lines of:

$APIKey = $_POST['API Key'];
if (!verifyAPIKey($APIKey)) {
    http_response_code(401);
    exit();
}

Assuming verifyAPIKey() is robust, is there a way an attacker could post data other than a valid API key which would evaluate the if condition to true and bypass this authentication step?

kemika
  • 134
  • 10
  • 1
    Post the code of `verifyAPIKey` – Charlotte Dunois Nov 05 '16 at 14:54
  • Thanks for your help. What I was really asking is assuming that `verifyAPIKey` can only return true with a valid API key or false without one, is there still a way to skip the if block? I suppose I should have said "Given some arbitary if statement in PHP is there a technique hackers could use to skip it?" Like is there a way to hack if(1!=1){do something}? – kemika Nov 05 '16 at 15:14

1 Answers1

2

REST-full API's work on something called a handshake, so where security is concerned, we must ensure we are using SSL encryption in the data transfer.

When we talk about an API Key we're really saying a random but unique string (token) for that single user to gather data across domains (CORS).

Assuming verifyAPIKey() is robust

This isn't a pre-defined function in PHP. To include a 'robust' infastructure to API tokens, you would need a set of instructions.

  • Client requesting data uses a unique token and return URI ->
  • Client redirects user to your sandbox with this information ->
  • User allows client access and Client recieves a seperate unique token ->
  • Client creates a request with that token to an endpoint to then get the data

Really, the hack here would be an Injection when you're querying your database for them tokens. However, not to worry because SO has plenty of resoucres on securing queries.

A simple example of this context would look something like this:

class Endpoint {

    private $Token;

    public function setToken($token) {
        $this->Token = $token;
        return $this;
    }

    public function isToken() {
        $smpt = (new Database)->Prepare('SQL HERE');
        $smpt->execute([$token]);
        return empty($smpt->fetch()[0]) ? false : true;
    }

}

$e = new Endpoint();
$e->setToken($_POST['token']); // change to an MVC design rather than post methods
if($e->isToken()) {
    // API logic (ie, return action related to that token)
}

Or see a working example of this.

Community
  • 1
  • 1
Jaquarh
  • 6,493
  • 7
  • 34
  • 86
  • Thanks for your answer. I am using SSL and all my queries use prepared statements. Sorry my question is rather unclear; the code posted is one point of the authentication process. In my actual code the function is called verifyAccessToken($AccessToken) where $AccessToken is a self contained JWT. My concern was some kind of PHP code injection or something I can't imagine being used to skip an if block. – kemika Nov 05 '16 at 15:54
  • `verifyAccesstoken()` should simply check if the token exists in the database, nothing more or less so there would be no **hack** @kemika – Jaquarh Nov 05 '16 at 16:21