Securing API calls from cross domain using RESTful service

Question

I have a booking site from where I provide a few lines of code to the user where I add API key in a div along with the code. The users are required to add these codes in their website. Then I load the view from my site over their site using ajax calls. My concern is: How can I make these calls secure using public and private API Key with restful web services using codeIgniter?

My code provided to user looks like

    <link rel="stylesheet" type="text/css" href="http://localhost/bookingpoints_com/apiTesting/styles/first.css" />
    <script src="http://localhost/bookingpoints_com/contents/scripts/jquery.js" ></script>
    <script src="http://localhost/bookingpoints_com/contents/scripts/apiused.js" ></script>
    <script src="http://localhost/bookingpoints_com/apiTesting/scripts/common.js" ></script>         
    <div id="api-data-reserve" name="Njc4ZDI5ZDZiN2RlYzIxMzM1N2U3ZWRkOGEwYjhlNThhZmZiNDNjNXRlc3QgY29kZTE=" data="Njc4ZDI5ZDZiN2RlYzIxMzM1N2U3ZWRkOGEwYjhlNThhZmZiNDNjNW1HVnZ3YVhMRVc=" sitekey="Njc4ZDI5ZDZiN2RlYzIxMzM1N2U3ZWRkOGEwYjhlNThhZmZiNDNjNQ=="></div>

By these lines of code I make an ajax call to my site and render the view on users site. How could I make it work like google's client and secret key structure with authentication using restful services using pure API architecture?

Answer 1

I wrote an article awhile back on securing REST APIs, specifically those consumed by a browser. I recommend taking a look https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/

Auth0, an authentication provider has quite a few resources also, I have no affiliation other than used them before and like their product.

Many APIs are secured through JWTs which are nice since they allow you to authenticate an API call without centralized auth servers. They are based on public/private crypto algorithms where the two keys are mathematically related. The keys are generated in a trusted environment such as your server, but anyone can verify that they come from who they say they did. You can design other authentication token schemes.

Depending on what you need, the keys will be accessible by any client, so you can design a specific permissions model to ensure the key has the rights of least privilege (i.e. they shouldn't have admin rights, etc)

Answer 2

Facebook, Google and other large companies uses iframe for these kind of services.
Take example of facebook it gives you on script to put in code which when runs will create an iframe for particular view.

Also you can not make cross-site ajax calls. Only iframe which is loaded from your site can securely load the page.

Now with the keys, you can always provide public key in script. The iframe href will point to you website with $_SERVER['http_referer'] where you can make sure the api key is authorized. Don't use private key unless you are not going to post any private confidential data.

Answer 3

Ajax requests can be emulated by creating the proper headers. If you want to have a basic check to see if the request is an Ajax request you can use:

if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') { //Request identified as ajax request }, However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.

But this is not enough, you have to secure your Ajax call using server side scripting(e.g. PHP). For example, if your AJAX passes the key to the PHP file, write code in the PHP file to make sure that is the correct key.