0

I would like to expose a problem to which I just cannot find a solution, although I have been informed several times on the web, the resources I find do not satisfy my curiosity.

The question is the following:

Suppose we have a rest API in node js (express) on the following endpoint -> / stars. Suppose we want to sell this API with the endpoint/stars to a certain target of customers, the endpoint will therefore only allow customers who buy the API to use it. The problem arises spontaneously, let's suppose that the pizza company buys my API and that I generate an access token for them, then they would call my endpoint with their token to have the resource, so far very good. However, all the requests are easily visible.

Example Chrome> dev tools> network and I see not only the endpoint with the full address, but even the payload that is passed!

So as an attacker I could very well (without paying the API) catch the pizza industry using the endpoint/stars with a token, copy everything and slap it on my services by providing the same token and the same endpoint. I already know the existence of tokens like jwt but they don't solve the problem anyway, as that different token only has the expiration. Even if it expires after 15 minutes or after 3 minutes, just retrieve another one and provide an identical request with the same token, would anyone be able to direct me to a solution?

The only one I've seen to find a solution to this is Instagram that sends behind a payload of thousands of lines, is it really the only method?

note: it is not even public.

Smit Gajera
  • 1,001
  • 1
  • 8
  • 26
xVoid
  • 19
  • 2
  • I don't understand. What you're describing her is: If someone has the login/token information they can impersonate that user. This is holds true for all systems that have logins or tokens. Sending Bearer token in the request header is a standard way of authenticating a request. This is why you use a https to avoid man-in-the-middle attack. – Bergur Dec 08 '21 at 22:08
  • I rephrase, sorry I'm not good at English, if I want an endpoint to be accessible only by a customer who bought my api how do I do? do they need an access token right? but if when I call my endpoint from (example) dev tools> chrome network I can see both the endpoint and the token being passed, where is my security? – xVoid Dec 08 '21 at 22:16
  • 1
    Your security is in a) Having the request on a secure http protocol to avoid man-in-the-middle attack b) Your customer sending that token from the server side on not from the client side – Bergur Dec 09 '21 at 00:29
  • This question is “what is authentication” – Joe Dec 09 '21 at 04:05

3 Answers3

0

@xVoid

  1. The first thing you can set an encryption/decryption module for your response data with the help of the crypto module in node.js, Here you send encrypted response and the your API client decrypt your response and use it.

  2. You can set a key for your API it means every time your client or user send you a request they have to send that key in the body, not header so other people can't get your data because they don't have that key, and in express you can set middleware to validate this key is exist or not if not simply return "You are not authorized"

If you aren't getting any point or you want to go deep on particular thing just let me know

Smit Gajera
  • 1,001
  • 1
  • 8
  • 26
0

You may simply use http-only cookie and send the token in cookie, instead of normal header

Ankit Ranjan Sinha
  • 56
  • 3
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 10 '21 at 21:11
0

A customer using your endpoint should not be sharing their API keys with the end-users.

This means that any customer using your service should create at least a proxy server to your specific endpoint.

CLIENT GET /pizza FROM CUSTOMER -> CUSTOMER GET /pizza?apiToken=<...> FROM SERVICE

Obviously there can be a man in the middle attack between the CUSTOMER and your SERVICE but that's is unlikely to occur using SSL (Related: Are querystring parameters secure in HTTPS (HTTP + SSL)? )

If a CUSTOMER suspects that their api key was leaked they should revoke it and request a new one to your SERVICE.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Diogo Almiro
  • 363
  • 3
  • 15