1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Mobile App talking to API - authentication question

Discussion in 'PHP' started by stephan2307, Jun 5, 2019.

  1. #1
    HI,

    I am building a mobile app (using phonegap) which speaks to an API.
    SEMrush
    In this app, users need to register and log in in order to use the app. For this I have built an API ( served only over https ). I am just wondering what the best way is to sort the authentication.

    At the moment when you log in, it checks email address and password. If the combination is found in the database, I am returning a randomly generated key with 50 characters ( uppercase, lowercase, numbers and a few special characters ). The app is then storing this key in local storage.

    Whenever the app does an api call, the key is added to the header. Before the API does anything, it checks the key and checks if it is valid. Only once validated the rest of the api call is performed.

    The tokens are stored at the api side in the database along with an expiry date and the user agent. If the user agent is different to the one that was used to create the token, the token is immediately invalidated and deleted.

    Is this a relatively safe method or are there any security risks?

    Thanks
     
    stephan2307, Jun 5, 2019 IP
    SEMrush
  2. JEET

    JEET Well-Known Member

    Messages:
    2,275
    Likes Received:
    118
    Best Answers:
    2
    Trophy Points:
    185
    #2
    What you are returning is a token, not a key.
    Key is something constant, specific to the app or the developer.
    Tokens are generated on the fly, for a particular session, for a specific time.

    When a user needs to authenticate, the app sends the user to your website, passing the Key in headers.
    When user authenticates successfully, then a token is generated for a defined expiry time, and this is returned back to app.
    This is what you are returning, a TOKEN, not a KEY.
    Key is completely missing from your flow process.


    Now whenever app makes a request, it sends both its developer KEY, and the TOKEN to your server, in headers.
    Your server checks both if KEY is valid, and if TOKEN is valid, and processes the request, logging the KEY and the activity requested.

    With just the token, and without the KEY, there is no way of knowing which developer app sent the request.

    Suppose 5 people made 5 apps using your API.
    Each app sends the user to your website for authentication. User enters their email/password to login.
    You returned the token to the app.
    Can you tell which of the 5 apps is making the request? No.
    If an app keeps sending bogus requests, overloading your server, there is no way of knowing which app to block, since there is no developer key...

    If you are the only one who would make an app, API is not public, even then use the developer KEY check instead of user agent check.
    If someone steals the token, they cannot steal the developer key, cause that is hard coded in your app.
    The token can be stolen because your server is returning it as an "output" to a https request, later sent as "headers" back to you.
    But the developer key always stays in headers, never visible.

    The user agent check is useless. Its so simple to fake a user agent...

    I hope I understood your question correctly.
     
    JEET, Jun 7, 2019 IP
    stephan2307 likes this.
  3. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,244
    Likes Received:
    23
    Best Answers:
    7
    Trophy Points:
    140
    #3
    Thanks for explaining.

    Just to explain, the API will not be public and as far as planned there will only be one app be made using this api.

    While it is easy to fake the user agent, in order to validate the token you would need to know that you also need the exact user agent. If you just have a token it is useless.

    Also it is possible to return the api token via the header.

    Anyway my general question was if the the method of using tokens and submitting them via header is a good way to do this or if I should be doing it a more secure way.
     
    stephan2307, Jun 7, 2019 IP
    JEET likes this.
  4. JEET

    JEET Well-Known Member

    Messages:
    2,275
    Likes Received:
    118
    Best Answers:
    2
    Trophy Points:
    185
    #4
    I think sending in headers is good enough. :)
     
    JEET, Jun 9, 2019 IP
  5. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,244
    Likes Received:
    23
    Best Answers:
    7
    Trophy Points:
    140
    #5
    Thanks :cool::cool::cool::cool::cool:
     
    stephan2307, Jun 10, 2019 IP
  6. JEET

    JEET Well-Known Member

    Messages:
    2,275
    Likes Received:
    118
    Best Answers:
    2
    Trophy Points:
    185
    #6
    Welcome :) :) :)
     
    JEET, Jun 10, 2019 IP