0

How to authorize only my app to use my REST API ?

I have this code in Javascript

$.ajax({
                type: 'DELETE',
                url : 'removeTest',
                data: { ... },
                beforeSend:function(){
                    ...
                },
                complete:function(){
                    ...
                },
                success:function(data, textStatus, jqXHR){
                    ...
                }
            });

This call will remove a user from the database with REST API in PHP. The problem is that everyone can remove a user, with POSTMAN (Chrome plugin) for exemple. How can I protect my REST API to authorize only my app.

Check the HTTP_REFERER is not enough. What could be better ?

Thanks for your help

4

1 回答 1

0

You have several possibilities here. In general you could authorize the user, the app or both. This depends on your application requirements.

Authenticate Applications

To authenticate the application you could use a token based system, such as an API-Key. This means any request would be signed using additional request parameters. Take a look at the way amazon does this in their S3 service for example. If your application will be the only one that will access the rest API you could alternatively simply restrict the acces by the IP address.

If there will be multiple users using the service via your client, you may also need to authorize the access to certain functions. For example: Will every user be allowed to delete any resource? If the answer is no, you have to implement

Authenticate and authorize users

A simple way to authenticate users in a RESTful API is using HTTP Basic or Digest Auth. In this setting the user credentials are sent via the Authorization header in a form of username:password as Base64 encoded hash to the server. Please note that you should only do this via an secured connection using HTTPS!

Additionally you could also take a look at more complex/sophisticated practices like OAuth.

于 2013-06-28T09:47:28.323 回答