How to generate and validate access tokens for each user session?

Question

I've set this website which consumes an API using JS, in the client-side. Although, it's not a good solution as it exposes my API account token.

In this way, I've decided to make the API calls using PHP, after the server is triggered by some JS Fetch request. But, with this solution, bad boys would still be able to read my code, copy the PHP file URL and enjoy my API Plan.

To solve that I've read some questions and some answers around here which tell people to generate a token, store in the session and then send it with the request to the server, so it can make sure the request was made from my own website. BUT I DON'T EVEN KNOW HOW TO SEARCH FOR THAT!

For now, I'm basically using DOM events to trigger the Fetch API (JS in the client side) which requests a PHP file in my server to make the actual API request and return the data:

fetch('myServerScript.php') // How can I block people from using this file?
  .then(response => response.json())
  .then(data => {
    //Handles Data
  })

// This file is in my backend and is named myServerScript.php
<?php

$response = @file_get_contents('https://ddd.pricez.com.br/ddds/87.json');

echo $response;

What I really expect is:

Hide my API token in the backend;
Block requests to my PHP file, unless they're from my own website;
The actual code for this solution.

score 0 · Answer 1 · answered Apr 20 '19 at 16:20

0

Put your token in some other path. If your website is hosted under /var/www store your token somewhere else /etc/myapp/config (for example). And then read the token in php.

If your server is configured correctly nobody should be able to see your code, but even if they could this adds another layer of security.

If you use something like symfony you will get configuration similar to what I have described out of the box.

answered Apr 20 '19 at 16:20

adotout

1,170
12
17

How can I read this token, using PHP? How can I block people from using this resquest URI? – Apr 20 '19 at 21:04
Can you see the mock code I've added to the description? – Apr 20 '19 at 21:13

score 0 · Answer 2 · answered Apr 20 '19 at 18:38

0

There are multiple ways to securely handle tokens for authorization. For example oAuth2.
You can only allow specific IPs to access your APIs. You can restrict IPs in .htaccess for Apache or at application level in APIs.

Allow access to all files from only 1 IP address and redirect all others to other file
You can also configure your server to prevent directory listing. You can use .htaccess for Apache. Your source code will be protected.

How do I disable directory browsing?

answered Apr 20 '19 at 18:38

Naveed

41,517
32
98
131

Can you see the mock code I've added to the description? I'm not sure if it applies to my situation. – Apr 20 '19 at 21:13
Client is in client's hand but you can protect your backend code as I discussed in my answer. You can add IP filtering in your backend code. – Naveed Apr 21 '19 at 06:19

How to generate and validate access tokens for each user session?

2 Answers2