Design secure RESTful APIs that do not use OAuth authentication

Design secure RESTful APIs that do not use OAuth authentication

The client program that calls the API needs to be sent at the header:

API_ID: 1

API_TIME: timestamp

API_HASH:  $clienthash

$clienthash is calculated from the following:

$user="username";

$publicKey='hello';

$privateKey=  hash_hmac('sha256', $user, $publicKey); //You need to store the privateKey of the client program in the database first

$data=json string.

$clienthash = hash_hmac('sha256', API_TIME.API_ID.$data, $privateKey);

API side verification:

$serverHash = hash_hmac('sha256', API_TIME.API_ID.$data, $privateKey);//Go to the database and find the privateKey for this client;

If $clientHash === $serverHash goes to the second layer of validation

If the server time and API_TIME are within the set time period, the validation passes.

The second way:

  1. Set a key, e.g. key = ‘2323dsfadfewrasa3434’.
  2. This key is known only to the sender and receiver.
  3. When called, the sender combines each parameter and uses the key key to generate a access_key according to certain rules (various sorting, MD5, ip, etc.). Post submit to the API together.
  4. The receiver gets the parameters of the post and the access_key. As with sending, the same rules (various sorting, MD5, ip, etc.) for each parameter with the key key also generate a access_key2.
  5. Compare access_key and access_key2. The same. The operation is allowed, which is not the same, and the error is returned or added to the blacklist.
Post Views: 0

Posted

in

by

admin

Tags:

,

AI AJAX API AWS cache callback ChatGPT CORS cron crontab Design pattern docker encryption event express ffmpeg flutter git go hls HTTPS icon JAVA javascript JS jsonp m3u8 Mongodb mysql Nginx nodejs OAuth OpenAi PHP Python React SSL swoole URL video VUE WCGI WebAssembly website WordPress

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *