0

Scenario: Say I have a RESTful http(s) API running somewhere exposed on a public IP+port, and now I want to make a simple front-end that interacts with this API.

Constraint: I want to use GitHub Pages to serve the front-end, and I would like to make the repository public.

Question: Is there a way to design the API such that only calls originating from the gh-pages website will be successful? That is, if someone were to fork the repository and run their own version of the front-end, could the API notice that the call does not originate from the "official" gh-pages site? I'm really wondering if there is something I can provide in the API call that would prove that the caller is calling from a certain, predetermined place.

If the front-end can be privately hosted I could have a shared secret stored on both servers and use that to authenticate, but I would ideally want to be able to host this via GitHub pages (removing the need to maintain a server my self). Can I somehow use the fact the gh-pages site would have a proper certificate from Github? Or would this certificate be available for all gh-pages sites similarly, and hence not useful to determine origin?

I hope the question is clear, any input would be very much appreciated!

Adi Fatol
  • 956
  • 15
  • 24
Bendik
  • 1,097
  • 1
  • 8
  • 27

2 Answers2

1

The assumption that the requests are made from gh-pages is wrong. The requests are made from the user's ip browser. Any user will load the contents of a web page in the browser from your own repository or from a fork repository, but the requests to the API will be created from the user's browser.

By default, the browser will not allow requests to an api on a different domain than the one where the html is loaded from. So, loading content from https://pages.github.com/ and requesting your own private server will fail, as it will be on a different domain (see CORS), but there are many ways to avoid this (see Cross-Origin Resource Sharing on GitHub Pages).

So, as long as CORS is enough for you (see above link how to enable requests to your api), you should not worry. Otherwise, there is not much you can do, but authorize the customers.

Adi Fatol
  • 956
  • 15
  • 24
  • 1
    Yeah, when you say that it makes me feel like I knew that, but somehow I didn't think it through. I've dealt with the CORS issue before, so I was prepared to deal with that, but I might have to rethink a couple of things before that... Thanks anyway! – Bendik Apr 14 '19 at 13:35
0

Is there a way to design the API such that only calls originating from the gh-pages website will be successful?

No.

The only information you have is what the client chooses to tell you.

A client might send a referer header. A custom client definitely can lie about that.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335