current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free.
up vote 0 down vote favorite
1

Actual state

I have REST API and React JS application that communicates with this API. In the API there are some public endpoints - for user registration, processing lost password etc. And I am looking for a solution how to restrict access to these public endpoints only from my React JS application because anybody who knows these endpoints can do requests and create user accounts and do in the system what should not do.

I have some ideas but all of them have some security flaws:

  • access token - every application will have own access token that will pass with all its requests to confirm to get an access to the API. But this is a problem, because if is it a frontend JS application token needs to be saved in JS code and end user can get this token and do requests it his own way.

  • limits - limit bad requests and count how many particular application (identified by its token) did a bad request. If there is too much bad requests, disallow access for the application to the API. But this is a problem, because one user can block all other users from one particular application (if he gets an application token and do requests in its own way).

Question

Is there some way how to solve this problem?

share|improve this question
    
Not really. Since it's a public endpoint, it is a public endpoint. The only reasonable things to do would be to have an IP level front end blocking too many queries. Tokens don't really work, unless they're per instance and nobody can get someone else's token, as you noted. – Sami Kuhmonen Sep 24 at 8:42
3  
You should define what you want to prevent. If an API is open to user registration, it's open to user registration, regardless of the client application. All you can do is apply some limiters, e.g. rate limiting by IP, Captcha or email address verification. – CodesInChaos Sep 24 at 8:45
    
implement 'logging in' with a 'username' and 'password' – Ewan Sep 24 at 10:34

2 Answers 2

up vote 0 down vote

I think your access token approach is the only workable one. No, it's not perfect, but it will secure your endpoint from random users. As to the issue of users snagging the token from the request and using it outside your code, how likely is this scenario? If it starts to become a problem, are there other tools (e.g., IP address blacklisting) that might help?

share|improve this answer
    
Do you mean one access token for one application for all time, or expiration token, e.g. issued for 30min? – user1315357 Sep 24 at 14:45
up vote 0 down vote

My suggestion would be to have a two-legged authentication mechanism, using application keys, like the access token approach you suggested and your authentication mechanism. Essentially, the authentication request should be made using that publicly available key and then once you have your access token/session, you don't need to use that application key anymore.

Now, in order to secure this, you can have a mapping of valid origins associated with said key. So you can check where the origin of the requests, and make sure they are actually coming from your domain(s).

Not sure how you do authentication, if you use an OAuth mechanism or what, but even when you give out a token to your users to authenticate against your API, you should be using an application key.

This is what most OAuth APIs does, for example Google (see Web Applications).

For publicly available methods, you can just ignore the two-legged authentication and use that application key by it self.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.