javascript - Restrict PHP API for specific domains which are saved in my database - Stack Overflow

admin管理员组

文章数量:1303066

I have created an API which takes the hostkey or API_KEY and then it validates and gives back JWT token. Everything is working fine, I can't access the restricted routes without Hostkey.

ISSUE

The major issue is that what will happen if someone gives this hostkey to others as it will no longer be protected or it will be misused. So what I want to do is not only validate the hostkey but also validate the domain from which request came from. It is kind of paid service and I really want to restrict is to specific domains. Just like google does with MAP Api as if we add that map key to other domain it throws an error.

I have created an API which takes the hostkey or API_KEY and then it validates and gives back JWT token. Everything is working fine, I can't access the restricted routes without Hostkey.

ISSUE

The major issue is that what will happen if someone gives this hostkey to others as it will no longer be protected or it will be misused. So what I want to do is not only validate the hostkey but also validate the domain from which request came from. It is kind of paid service and I really want to restrict is to specific domains. Just like google does with MAP Api as if we add that map key to other domain it throws an error.

• javascript
• php
• jquery
• rest

Share Follow edited Mar 2, 2021 at 10:30 Henke - Нава́льный П с м 5,78766 gold badges4141 silver badges5151 bronze badges asked Feb 21, 2021 at 15:16 AkhileshAkhilesh 96811 gold badge77 silver badges2121 bronze badges 6

• 1 AFAIK Google APIs are only restricted in the way you describe when calling then via AJAX. And the reason for that is primarily CORS restrictions. If you call them from a non-AJAX context then that doesn't apply. And it can't apply - "domain" isn't really a concept in a more general HTTP request context. A request can be made from a home puter to an API, and that machine is not part of any domain, yet the request is still legitimate – ADyson Commented Feb 21, 2021 at 16:07
• Also, to further the parison with Google, they generally only use API key authentication for requesting data which is already public - e.g. public calendar data etc. If you wanted to access something private (e.g. email) you have to use a stronger authentication method. Ultimately though, no matter what authentication system you use, if someone decides to share their credentials with someone else on purpose that's their problem, not yours. and there's not a lot you can do about it. – ADyson Commented Feb 21, 2021 at 16:10
• 1 @ADyson Thanks for reply, But the idea of this API is to provide Video service and play it on their window after successful authentication so as in this case we only want to play video on those domains which are allowed. Otherwise if they share their API it is gonna be our loss as we are providing video access for free. – Akhilesh Commented Feb 21, 2021 at 16:13
• Well you can implement CORS restrictions for Ajax access, which restricts access to specific domains. but it's unclear how your actual video playback works. Maybe you can also implement maximum concurrent logins like Netflix does. It's not very clear if you are providing this service to websites, or to consumers directly? The context makes a difference to how you implement it. – ADyson Commented Feb 21, 2021 at 16:17
• 1 How can I do CORS restriction ajax, as the whole point where i stuck is how do i can know from which domain i get the request. – Akhilesh Commented Feb 21, 2021 at 16:22

 |  Show 1 more ment

2 Answers 2

Sorted by: Reset to default 9 +50

The only way to do this is to check the origin and referrer headers.

Unfortunately, server to server this can't be done reliably as the referrer and origin headers would be set by the coder and so can be spoofed easily. For server to server calls you would be better off whitelisting IP addresses that are allowed to make calls to your APIS. In this case use something like How to get Real IP from Visitor? to get the real IP of the server and verify it against whitelisted IPs.

Assuming this is a JS call in browser and not server to server, and that you trust the browser, the only way this can really be done is by verifying the referrer and origin headers. This can still be spoofed with a browser plugin or even with a tool like Postman so I don't remend it for high security. Here is a PHP example for verifying the origin or referrer.

$origin_url = $_SERVER['HTTP_ORIGIN'] ?? $_SERVER['HTTP_REFERER'];
$allowed_origins = ['example.', 'gagh.biz']; // replace with query for domains.
$request_host = parse_url($origin_url, PHP_URL_HOST);
$host_domain = implode('.', array_slice(explode('.', $request_host), -2));
if (! in_array($host_domain, $allowed_origins, false)) {
    header('HTTP/1.0 403 Forbidden');
    die('You are not allowed to access this.');     
}

Optionally also CORS headers are good as mented by @ADyson Cross-Origin Request Headers(CORS) with PHP headers

I would like to suggest making a quote or limit for the number of request, so when the paid API reach for 100 request the key will stop working, then the person who paid will not give the key for others. This is not perfect solution, but I would suggest it cause most API services uses it.

本文标签： javascriptRestrict PHP API for specific domains which are saved in my databaseStack Overflow