0

I've always use JS framework coupled with a PHP backend on the same server (website in php who use a JS framework like react/vue/angular). I know how call an API function with axios (from JS to my PHP backend) for insert/select in database. I've a environement file who contains login and password for the database, I use it in PHP.

But I want to make an vue app without integrated it in a webpage PHP. (for convert it in electron and ionic). So the files are in user disk. How can I call my own API (ex: http://my-custom-api.test/api/insert_data) without users see a password or another stuff for login himself to my api) => Only my apps are allowed to use API

EDIT: Ok for this step, I use a token system. But i've one question, a user can be exposed to CSRF attack ? (Client is a electron desktop app or Ionic mobile app). They call my api for execute action with params (form data and token bearer user). It's safe ?

emeliku
  • 173
  • 1
  • 13
  • Your app runs on the client, so the end user will always be able to see the network requests, and you can't prevent that. Your only feasible option is to obfuscate the data. If you're just trying to hide the username/password, don't use Basic authentication. Switch to a more secure protocol if your database supports it (which it should). – tony19 Jun 13 '21 at 22:05
  • This might help you. https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea – Chin. Udara Jun 14 '21 at 06:07
  • This is commonly handled by using API keys instead of login/password. Keys can be issued per user on first launch or on registration, so they could be blacklisted in case they are misused. Nothing is safe on client side. You can keep them in encrypted storage but this doesn't do much if source code of the app can be accessed freely. – Estus Flask Jun 14 '21 at 06:46
  • @EstusFlask I've edited my post. I think it's ok but I've one question with possible CSRF attack – emeliku Jun 15 '21 at 18:41
  • I don't see the problem with CSRF. You don't share a window with other websites. If you do for some reason then the same concerns as with browser web app apply. – Estus Flask Jun 15 '21 at 20:13

0 Answers0