A collegue recently asked what is the point of the nonce on WP JSON API
https://wordpress.org/plugins/json-api/
Since you can generate one without authentication, why bother with the extra step of having them at all?
I didn't know, and assumed maybe the authentication could be tightened later, but thought I would ask here in case someone knew.
Thanks in advance
Related
I have created rest apis on my wp server . I dont want to open the api for public access just want to access it from my own app. The question was asked previously but its has not any clear answer . I tried to use JWT but on my case its not valid because on JWT i need to login the user which is not possible in my case . I just want any protection to my rest api to get access from my android app without login.
This is not possible.
Think of it this way... Suppose you're expecting a friend for dinner. Someone knocks at your door. "Who is it?", you say. "I'm your friend", the voice answers.
Now, is it really your friend at the door? After all, you had to ask them who they were. Maybe it's someone pretending to be your friend. You can check the basics... were they expected at this time? Do they sound like your friend? But, you really don't know whether or not it's your friend. It could be someone emulating the protocol and sounding like your friend. This scenario is really no different than someone spoofing your app to make API calls. It can identify itself as your app, and since you have to rely on this information, you can't really prove that it is or isn't your app making the API call.
Maybe in a different scenario, you have a party. To get in to the party, you have to know the password. However, you want this to be a really big party so you put flyers up all around town, and you include the password on the flyers. This is like what you're doing when you have a publicly accessible app with the API key built into it. Everybody has the password, so you're only protecting your API from random requests unfamiliar with your app.
JWT really has absolutely nothing at all to do with user logins. But, JWT doesn't help you here anyway. Even if you signed some tokens, they still have to be embedded in your app.
What you can do is mutually authenticate both ends with a TLS connection. Use certificate pinning. But even all this isn't fool proof. It is still possible for someone to pretend to be your app.
There's no magic that can be done here. If you want people to access your API, you have to give people access to your API.
So last year, someone introduced me to an off-the-shelf database server package/ technology that would take a request from a client and would serve up the information in a JSON format that was defined in the request. Having previously had to develop mobile client applications using apis designed for websites, this seemed like a wondrous thing. Being able to make one call and receive only the data you asked for and in the format that suited your code would be a godsend.
Unfortunately, I didn't get the opportunity to work directly with the technology and I have subsequently forgotten what it was called. Neither Google nor StackOverflow has been my friend. It's difficult to formulate the search terms to get the right hit I suppose. Nobody I currently work with has heard of this and I have lost contact with the people who originally introduced me to it.
It's driving me nuts. Does anyone know the name of this package?
The technology I was thinking of was GraphQL.
I have a Realtime API application in which the prototype of gapi.drive.realtime.CollaborativeString is modified to provide extra methods. Today (October 30, 2014) at about 10 AM EDT, the app suddenly stopped working. It turns out that accessing gapi.drive.realtime.CollaborativeString.prototype throws an error because gapi.drive.realtime.CollaborativeString, along with all the other Collaborative classes, is now undefined!
I am currently working around this by adding the required methods to each CollaborativeString individually, but I would appreciate if someone on the Google Drive API team could tell me:
Has the API actually been changed today to remove the public handles for these classes?
If so, why?
Most importantly, why was there no warning or change in the documentation? Unless there was no change and I'm just being stupid, this caused significant downtime on a production service today. The documentation still lists the classes in the gapi.drive.realtime namespace.
Thank you in advance for your clarification and sorry for the StackOverflow format. Also posted in the Google Drive issues forum.
We made some changes to the API to avoid exposing obfuscated private properties, which were causing problems for several of our users who were using custom objects (https://developers.google.com/drive/realtime/reference/gapi.drive.realtime.custom).
I'm sorry for the downtime that this caused. We did not know that anyone was modifying the prototype objects, and in fact we never doing so would work at all (though obviously it does).
I would be happy to have a 1-on-1 conversation about your app and how we can prevent future downtime. We have a pre-release channel that I would be happy to whitelist you for so that you can test changes before they affect your production users.
Question
How do I secure an API by only allowing trusted domains?
Details
I am building a REST API. I need a way to distribute API Keys but only allow them to work from the domain they are registered with.
The main issue is my API Key needs to be embedded in a Flash File which can easily be decompiled to steal the API Key. If Flash makes this impossible I can use Javascript instead.
I have heard a lot of people say use $_SERVER['HTTP_REFERER']. But that is easily spoofed.
How do I build an API that makes sure a request is coming from an allowed domain?
How do I create an API key that is tied to a domain?
How do I secure an API by only allowing trusted domains?
Related Stackoverflow Questions:
These questions are related but didn't quite answer my question. Figured I would just put them here for future reference.
Google API Key and Domain Check
How does Google Maps secure their API Key? How to make something similar?
JavaScript won't help you here - the problem is that the key is being stored on the client, which means that it is not secure. You can make it a bit more difficult for an attacker certainly (e.g. like you say checking the referrer), but at the end of the day all the server can verify is that the key is correct, and since the key can easily be stolen that's not very helpful.
The way this can be secured is by having the private keys run on the servers of whoever you are giving them to instead of in the client. Depending on your needs, this may not be feasible.
One possibility to make it a bit harder for attackers is to use the site-locking technique to only allow the SWF to call the API if it is on an appropriate domain. See http://blog.boogatech.com/as3_tutorial_site-locking_your_flash_project/ for an example. Please note however, that this is client security - the goal with sitelocking is usually just to stop people from playing your game on other sites (and even then it can't stop the most dedicated of attackers). In your case you are dealing with server security - the server doesn't know about the SWF, all it knows is the arguments it is being fed, so an attacker can just bypass the SWF and the client security and call the API from somewhere else.
I'd advise you to think about what attack and attackers you are trying to prevent (why do you have to tie API keys to a domain?). This will help you plan your security attempts better. For instance, if you are not running an ultra-critical API, you can decide that putting in a couple of things to make it harder for attackers to access the API is acceptable, with the knowledge that you can't stop an extremely dedicated attacker.
This may be a terribly uninformed question, brace yourself. A company I'm working with has given an 'API' that I can use to access orders, however, there are only two real commands, getorders and getorderdetails. These commands are put in the format of www.server.com/path/to/the/orderapi/getorders/UniqueKey/
If I go to that web address, I'm prompted for a username and password, and once authenticating, get presented with a page of JSON formatted order details, contained in the body of the html page. I would like a service to check this information and create orders in our CRM based on it, is there an obvious way to access it without the browser/client interaction?
Update: We intended to Use BizTalk to consume this resource but after a bit of research and experimenting have decided to use a different service (WDSL), mainly because BizTalk doesn't seem to have terribly great support for Restful webservices. If anyone with more knowledge of the subject would like to chime in that's fine by me.
Update 2: Noticed that (a since deleted) thread on stackoverflow is basically a feedback thread of biztalk 2009-r2, and one of the requests is support for restful web services, so I don't think there is a graceful solution for restful services in BizTalk 2009.
Use your language of choice, along with some library that speaks HTTP, and start hacking away?
In PHP, you'd use the build-in cURL library to make the HTTP requests. You'd grab the JSON data, run it through json_decode() to create native PHP datatypes, and then operate on them at will, doing whatever you need to do to create orders in your CRM.