1

I am running a mobile app which depend on JSON request.

The problem, there are some users could access the API directly without using the app. I would like to know how to prevent it? So, I want to limit that the API should only accept connection from app.

Bobby
  • 77
  • 1
  • 6
  • Does this answer your question? [Restrict API requests to only my own mobile app](https://stackoverflow.com/questions/21465559/restrict-api-requests-to-only-my-own-mobile-app) – Jet.B.Pope Oct 20 '22 at 17:18

1 Answers1

0

You can create proper auth system with token. Then you can prevent direct access. you can use JWT kind of token mechanism.

It is very secured and proper way to maintain your API.

But if direct users have token then they also can access your API.

Chaminda Chanaka
  • 143
  • 1
  • 8
  • I have generate a token from backend once they logged in, it would be used when requesting API. The problem that the token stored in mobile app in order to post the api. However, the user could get the token from the app. I don't know how could they do that. Do you know a method to accept from mobile app connection only? – Bobby Oct 20 '22 at 07:55
  • where did you store your token inside App. if you do that correctly it is impossible to read token from outside. how ever i have found this url. may be useful for you. please reffer it https://stackoverflow.com/questions/7037423/how-to-identify-request-from-a-mobile-device – Chaminda Chanaka Oct 20 '22 at 09:10
  • I store it in GetX controller. – Bobby Oct 22 '22 at 02:35
  • @BobbyJulian is it correct now ? – Chaminda Chanaka Oct 24 '22 at 07:38
  • It has not, things I have done is to change server token for each request then store to user token table. So, once app send http request. Server will do validation. However, this is quite consuming server resource. Do you have any solution regarding this one? – Bobby Oct 24 '22 at 07:43
  • @Bobby i can suggest like this. think you have two different user types. Ex: staff, salesrep. but you want to give access only salesreps. so when you login please check user type. if user is salesrep then create token for them. if login staff throw error – Chaminda Chanaka Oct 24 '22 at 08:05
  • Its not about authorization. The matter is members could post directly from their browser. First, they capture the http request and query. Then, they post it directly such as from CURL and duplicate the http headers without accessing the mobile app. The main prob, mobile app does not give 'http_origin' even 'http_referrer' – Bobby Oct 24 '22 at 08:11