2

In PHP Application, I've created following middleware to validate API Key:

$apiKeyValueFromHeader = $request->header('Authorization');
        $apiKeyValueFromQuery  = $request->get('api_key');
        if (empty($apiKeyValueFromHeader) && empty($apiKeyValueFromQuery)) {
            throw new ApiKeyNotFoundException("API Key Not Found");
        }

        //Get API_KEY from header
        $apiKeyFromHeader = null;
        if ( ! empty($apiKeyValueFromHeader)) {
            $bearer           = explode(' ', $apiKeyValueFromHeader);
            $apiKeyValue      = $bearer[1];
            $apiKeyFromHeader = $this->isApiKeyVerifiedFromHeader($apiKeyValue);
        }

        //Get API_KEY from QueryString
        if (empty($apiKeyFromHeader)) {
            $apiKeyFromQuery = $this->isApiKeyVerifiedFromQuery($apiKeyValueFromQuery);
            if (empty($apiKeyFromQuery)) {
                throw new InvalidApiKeyException("Unauthorized Access!");
            }
            $apiKey = $apiKeyFromQuery;
        } else {
            $apiKey = $apiKeyFromHeader;
        }
        $apiKey->update([
            'last_used_at'    => Carbon::now(),
            'last_ip_address' => $request->ip(),
        ]);

        $apikeyable = $apiKey->apikeyable;

        $request->setUserResolver(function () use ($apikeyable) {
            return $apikeyable;
        });
        $request->apiKey = $apiKey;
        event(new ApiKeyAuthenticated($request, $apiKey));

        return $next($request);

But I couldn't find solution to identify from which URL(source) the API request is coming from. The API Key could be used by developers or any 3rd party integrating services like Zapier. Can anyone help me to identify source of request coming from so that I could restrict the access?

In backend, I could define the URL for provided API Key but I do not know how could I prevent unauthorized access.

I do not want to use OAuth2 i.e. client/secret

Sujit Baniya
  • 895
  • 9
  • 27

1 Answers1

0

yes you can surely do that using passport.

Please see passport documentation here

You can create particular users for particular third-party/sources. And a unique token will be assign to each user. Through which you can restrict unauthorized access as well as you can identify which third party is accessing API's

Kaleem
  • 191
  • 2
  • 10
  • Thank you for your answer. Passport seems to use OAuth2 but I needed solution for API key where user could only use API key not client/secret combination for their purpose. – Sujit Baniya Mar 13 '18 at 15:13
  • Okay have you assigned API key to each user? or using static API key for all API's? – Kaleem Mar 13 '18 at 15:20
  • API Key to each user. Each user could have different API Key for different purpose – Sujit Baniya Mar 13 '18 at 15:21
  • Then there should be no problem. First of all in middle ware check if API key (received in header) exist in DB. If exists , check its access rights etc. else return authorization access error – Kaleem Mar 13 '18 at 15:31
  • Identifying and authorizing user from API key is not a problem. looking for solution if the user has come from valid source(URL). – Sujit Baniya Mar 13 '18 at 15:34
  • Then you can use "HTTP_REFERER" and API key both at the same time. I.e you can save source URL against API Key and on request check both. Or 2nd solution is refresh tokens after specific time. And issue new token to source – Kaleem Mar 13 '18 at 15:53
  • What if any 3rd party services like zapier do not use HTTP_REFERER in their header? I just checked the $_SERVER variable, there's no such header from zapier. – Sujit Baniya Mar 13 '18 at 16:24
  • yes this the possibility. [check this](https://stackoverflow.com/questions/16374704/php-how-to-get-referrer-url). – Kaleem Mar 13 '18 at 16:32