I am about to publish a demo JavaScript application based on eBay finding API on my personal website; I was wondering if there is a way to prevent my AppID from being read and exploited. Is it possible to associate the AppID to a specific domain ? I haven't been able to find an answer neither on eBay Developer Forums nor in the official documentation.
Asked
Active
Viewed 1,086 times
2 Answers
3
If you send data to the client, the client can read the data. There is no way to prevent this (if JavaScript can decode it, so can the user). In order to avoid that, you need to keep the data (your AppID) on your site, and process the request on your server. So the JavaScript needs to talk to your server, and your server will then pass on the request to eBay, adding the AppID, and then pass the results back to the JavaScript.
Rob Napier
- 286,113
- 34
- 456
- 610
-
Thank you for your answer, Rob. Yes, I will end up cooking a server side Php script to retrieve the data. I was wondering why eBay did not implement any security measure: the Etsy JavaScript API control panel, for example, allows developers to set access restrictions on a per-domain basis. – humana.fragilitas Apr 01 '12 at 12:34
-
I'm not familiar with the Etsy interface. Could you explain it a little more? I don't know what you mean by "domain" here. AuthDomain? IP block? How does this actually work when the user is given has the API key? – Rob Napier Apr 01 '12 at 12:53
-
Etsy does perform a check on the referral address; if it does not match the domain specified in the control panel, no data is returned. Even if it certainly isn't a 100% reliable security measure, it does at least allow developers to set a minimal restriction on the possible exploitation of JavaScript routines (with readable AppID's). – humana.fragilitas Apr 01 '12 at 13:31
-
True, but it is trivial to forge. I mean really, really trivial. Anyone can write anything in the referer header and it can't be authenticated. I wouldn't want anything actually valuable protected that way. It's worse than no security because the developer might think it's actually protecting something. Since eBay represents real money, I'm glad they don't provide something like that. It's like putting up a handrail that isn't bolted down. It works only as long as it isn't needed. – Rob Napier Apr 01 '12 at 14:38
-
Server-side scripts or applications that interact with the tradingAPI obviously require way stronger and more complex security measures. I was just considering, instead, a simple demo JavaScript, JsonP-enabled application meant to display a dozen of items in a nice sidebar widget. Nothing more :) – humana.fragilitas Apr 01 '12 at 15:27
1
To answer your question...
It doesn't seem possible to restrict AppIDs as the limits don't work on a per-site basis like that and you usually have just one AppID for all your uses/sites. See this comprehensive thread from 2010 (quoted below), I doubt much has changed. The end result is it basically doesn't matter for a read-only application such as search results on your website.
More generally about securing JSON API calls in-browser
Checking the referrer is the best way to secure an otherwise public API. This is how Google restricts their API keys for maps, for instance: https://developers.google.com/maps/documentation/javascript/tutorial
About the only thing that will prevent fraud is activity monitoring, given that the API is called from third-party computers, one would have to track trends for abuse, perhaps by comparing a list of calls to other website activity, or by using JSONP to inspect the browser's properties with AJAX. Google can cross-reference their API calls with their Google Analytics calls, for example, though there could always be false positives.
In the end, if the fear is CSRF, there's this: How to reliably secure public JSONP requests?
Quoting verbatim from the eBay thread in case the URL changes again:
There is one DevID per developer account.
There could be multiple AppID, but these are only available via paid support ticket.
Each AppID can have multiple CertID. The CertID determines your call limits.
You can generate unlimited tokens for each AppID. Each token is a pairing of AppID, UserID, and the associated eBay user's password. Tokens are currently active for 18 months. They must then be regenerated. Tokens can also be prematurely 'revoked' either via the API or website preferemces.
For the API families that require a token, you can use a single token based on your own UserID to retrieve most public information. However, private transaction details are only available when you use a token generated for the target UserID. Some calls actually derive the UserID from the token.
If multiple applications share the same AppID, they will both contribute towards the daily call limits. That's why you might want to request a separate AppID.
https://www.x.com/developers/ebay/ebay-api-call-limits
The limits shown in the chart are 'aggregate' for the given API family. There's an implicit per-AppID. For the Trading API, eBay further limits use on a per-call or per-time-interval basis. Some calls like AddItem have higher limits. GetApiAccessRules will return your actual limits and usage.
Per-IP-address means the IP address of the calling machine. If you were to rotate through multiple IP addresses, you'd actually multiply your limit. There are many read-only 'widgets' written in JavaScript or Flash which run in the client browser and thus use the client IP to make the calls. In that case, the call limit is pretty insignificant.
AppID, DevID and CertID belong to the creator of the developer account. That creator is bound by the API license provisions.
As the owner of the keys, you are not to allow any 3rd-party programmatic control of the API. Strictly speaking, that means that both the keys and any token derived from those keys should remain private (i.e. under your exclusive control).
Obviously, eBay does not enforce that strict interpretation since FetchToken is suggested for client-side applications. A sophisticated user could easily grab the token coming or going. What harm can someone do with a token based on their own UserID?
- Burn through your daily call limit
- Create an API application that violates the license
For more of the debate, see this earlier thread. (Link broken)
Once your application passes the eBay Compatible Application Check, you can request either 1.5M shared or 20K calls per user.
For further information about eBay's APIs, I suggest asking on their forum.
Community
- 1
- 1
Louis St-Amour
- 4,065
- 1
- 30
- 28