0

I am developing a WordPress plugin which will provide end-users access to a specific, third-party API.

There are two types of credentials used to authenticate with the API: End user (email and password) and service provider, aka me (partner ID and signature key). These credentials are used along with other parameters (such as a timestamp) to calculate a "partner signature" which is ultimately used for authentication.

This way the API knows who accessed their service from which partner. Sadly it doesn't support any other type of auth.

The problem is that these passwords need to be in their original format (no hash or encryption) for the partner signature "calculation". However, if I do not encrypt or hash them, people could just take my credentials and make their own API or doing other sorts of shady business with my partner credentials.

TL;DR: I need to encrypt/decrypt passwords inside a WordPress plugin so that only the plugin has access to the original password.

Drazen Bebic
  • 17
  • 6
  • This post might will helpful for you [link](https://wordpress.stackexchange.com/questions/25062/how-to-store-username-and-password-to-api-in-wordpress-option-db) – Shajibur Rahman Jan 31 '18 at 07:33
  • By 3rd party do you mean just to user (i.e. you are the API provider) or is the API also 3rd party to you (i.e. your ID is used to access someone elses API)? If the latter, are you simply trying to avoid your ID for this service being made public? – scytale Jan 31 '18 at 08:44
  • @scytale The API is also 3rd Party. I want to avoid that someone uses my provider credentials and creates his own plugin with them, or abuses them in some other way. – Drazen Bebic Jan 31 '18 at 09:07

1 Answers1

3

Protection depends on what you consider sufficient for the effort involved. There is no perfect solution.

To hide your credentials your plugin could send the API request via a relay script (PHP, Java, whatever) on a remote server (e.g. your own). The relay will add your credentials, request the API, and return the results to the plugin. Example relay script that adds API key.

If you are using this for a specific type of API request e.g. pass customer enquiry leads (for which you get credited) and just want to prevent any other type of request with your ID (e.g. change your account details) then this should be sufficient.

Drawbacks/Issues:

Use of your server.

  • The relay is miniscule in use of resources, but if there is high volume of request via your plugin there could be an impact on your server load.

Unauthorised use of your relay script:

  • Hackers trying to find IDs for the API won't be looking for sites with your relay URL they will be "Googling" for sites with "links" containing the API providers name. (good)
  • However, although your credentials are now hidden, if your plugin uses Ajax then visitors could view page source and identify the URL of your relay; and later use it to access the API.

To prevent unauthorised use of your relay, the plugin can first request/generate a token (e.g. an MD5 of some values and a salt) and send it in the request to the relay. The relay will check this token matches its own MD5 of values and salt. Your plugin can then use Ajax "safely" (although visitors can still identify the relay URL from page source they won't know how to generate a valid token).

Unfortunately, plugin code is readable by the site Admin and there is not much you can do to prevent revese engineering of any protection you add.

You could go further and require plugin registration (you've no guaranttee the person is genuine) and checking of referrers/IPs etc (all can be spoofed).

scytale
  • 1,339
  • 1
  • 11
  • 14