How can I prevent bots and spam API requests?

Question

I'm working on an Android app in react-native and the app communicates with an API I'm working on for the app. The API is built with Laravel and Laravel Passport.

I know that Android apps can be decompiled so any secret keys stored within the app could be easily found. This is the reason for my current approach.

You can only gain an access code during registration. The application uses anonymous accounts so if you lose the access token, it's too bad. The app makes an API request to /api/register which creates the account and returns an access token. The app would store the token and use it to make further API requests.

The problem is that the registration route does not use any client secrets or access tokens. It is very easy to automate requests to the route and create an army of bots. I could potentially limit the amount of requests like a lot of API providers do but that wouldn't stop the issue.

I've heard about payload hashing but this usually requires a salt that is in both the app and api. Again, this is not secure and couldn't someone just hash it themselves if they know the salt to spam requests? Maybe I'm misunderstanding how payload hashes work.

Hopefully someone can assist.

Answer 1

I'm at this junction at the moment and the route I'm taking is one where the user is challenged to solve a simple puzzle:

1. registration process on app/web picks up a challenge from my registration server
2. the challenge is shown to the user with the input fields: email/username, password and the answer input for the challenge
3. it all gets sent to the registration server and if the answer is incorrect, the registration is denied

This "are you human" challenge is what will stop bot-registration so it needs to be a little smarter than the one coding the bots, so a selection of various challenges on the server would be nice. I'm thinking of "select the n-th value from the dropdown", "select the first/last option", "write the color 'blue'" or "what whole number is between 3 and 5", and so on, for which variables can easily be generated by the server, the challenge and answer input can easily be created by the registration script, and it's easy and not very time consuming for the user to solve.

Another option I'll explore is to throttle requests by IP, combined with black-and white-listing those.

Answer 2

You'll probably want to use something to detect the user agent hitting the route. This package has a lot of useful features:jenssegers/agent. For example, it offers crawler detection:

$agent->isRobot();

Depending on your hosting provider, you may have access to tools that automatically blacklists ip addresses after X number of requests per minute (or other metrics). I know AWS offers this service.

Another option is antonioribeiro/firewall. Track users based on ip or geography and redirect/block accordingly.