I have two microservices registrations, which is responsible for registering new users, and users, which hold information about users. Each of them has it's own database.
When a user tries to register, a call to users is made via the API, e.g.
GET users/verify?email=foo%40bar.com
to chech if the email has been already assigned to a profile. Although I could hide the access point users/verify in the public docs, it can still be accessible.
What is the best way to allow only private IPs make requests to the API?
You may use a Gateway, some alternatives are
Tyk
Kong
Netflix/Zuul
There is a nice article at https://thenewstack.io/api-gateways-age-microservices/
Keep it simple. Do it at the firewall level
Whitelist the IP(s) that you want to be able to make requests, reject the rest
Related
Here is my scenario. Imagine there is a Yoga studio that uses a professional booking and reservation system that exposes an API. Through this API an application can make a reservation for a client. The API takes the client's userid and password to make the reservation. The booking API doesn't use OAuth or any social media sign-ins.
My desire is to create an Assistant Action that would retrieve the list of classes and allow the client to make a booking.
My puzzle is what design/architecture to look towards to supply the userid/password pair required by the booking API.
How have others solved this puzzle?
Should I store the userid/password as "user state" associated with the action?
First, you should have a conversation with the API provider about why they don't provide an OAuth-based solution. This is a security vulnerability waiting to happen, if it hasn't already.
Second, you need to think very carefully about your own risk profile in this case:
Google does not allow you to collect credential information (ie - passwords) through your Action.
Because of this, you must use Account Linking to authenticate them.
This means that you will need something (ie - a database or data store) to manage their account on your side.
This database would be a good place to keep the username/password you need to use for them for the API...
...but it now means that you need to take extreme care about protecting this database.
You don't really say how this API allows for accounts to be created and managed. If these accounts are just used for you (ie - the user doesn't necessarily see them), then you can mitigate some of that risk by treating the username/password as an opaque token that you manage and generate and that the user never sees.
If this is something that the user is aware of, then you'll need to approach the account linking in one of two ways:
Have them log into your service via an app or webapp using this credential info that you will need to save (ack!) and then link to the Assistant using OAuth.
Have them log into your service via an app or webapp using Google Sign-In, which will carry over to your Action. Then have them provide the credential info for the API, which you will need to save (ack!).
I have a client-side react app that I need to fetch information from a MongoDB Atlas collection that is being populated directly to the source by another individual. When I went to check out the connection string I noticed that the user password for db access would need to be present in the code:
(Not enough rep to post images sorry)
https://i.imgur.com/5Vs23WJ.png
Now obviously if I include this right in my front-end code anybody will be able to see my password and that's no good. But I need this app to be self-contained and I don't want to have to host a server just to reroute the single Get request that is called upon loading the site.
If I create a new user with read-only privileges, is it safe to keep that user's (super generic obviously) password in the front-end code for access to the db? Is there any harm in this? Am I correct in assuming that non-whitelisted IP addresses aren't able to make requests to the Atlas db? The only address that is going to be whitelisted is the IP where the web-app will be hosted, so I'd imagine I don't need to worry about someone spamming requests to rack up charges on my Atlas account or doing anything else malicious?
I'm a recent grad so I don't have much experience with secure deployment but I'm hoping I can change that this summer.
Thanks :)
I'm not sure about "best" practices, but I'll try to answer according to what I would do:
is it safe to keep that user's (super generic obviously) password in the front-end code for access to the db?
Yes you can create a read-only user. It's generally not a good idea to use a super-user to do your reads. I would only give as much access as the job requires.
Am I correct in assuming that non-whitelisted IP addresses aren't able to make requests to the Atlas db?
Correct. Only whitelisted IPs will be able to connect to the Atlas instance.
Having answered that, I personally would either:
create an API layer on top of the database to prevent direct access to the database by a client application, or
(If applicable) create a Stitch Webhook that provides a Stitch-based REST API layer on top of the Atlas deployment.
The idea is to provide security by limiting access to the database from the outside world. Using a whitelist is one layer of security. Using a REST API is further security layer that essentially forces anything that needs database access to go through a guarded gate that is under your control.
Some additional benefits of a REST API gateway:
Should your Atlas URI changes in the future, you don't need to redeploy the client applications everywhere again. You just reconfigure the REST API gateway to point to the new Atlas URI, while your client application can still use the existing REST API address with no change.
Limiting client connections to the database itself. Since only your API gateway can connect directly to the database, there is little chance that the database can get accidentally DDOSed when you have a lot of clients active at the same time.
Note that I would not consider the above to be "best" practice by any means. It's just how I would do it.
I work for an ecommerce site and we are looking to expose much of our core functionality via a set of APIs. We plan on re-writing some of our own public facing applications (e.g. the main shop website and our mobile app) to call these new APIs also. We also want to offer some of these APIs out to third-parties who want to integrate with us.
My first question is - what is a suitable authentication method for these APIs? Everything I read is about OAuth, but am I right in saying that this doesn't fit in this case as we're not looking to use another log in system (e.g. Facebook, Google) but rather restrict access to our own API (so maybe an API key or JWT solution would be better?)
Secondly, our current website has it's own user accounts system. How do you offer /user endpoints (like GET user/1235/paymentmethods) in an API like this? Surely the actual user (website customer) needs to authenticate somehow in order for the given API consumer to access their data.
I've spent the last 2 days reading about this but I'm at a loss as to how to go about this! Any help much appreciated.
I'm trying to interact with the Salesforce REST API for an organisation, and was wondering if it had any notion of Service Accounts or Application Owned Accounts. I can't find any mention of it in the documentation, but maybe they use different nomenclature.
I'd like to enable some form of domainwide delegation of authority, so users aren't faced with the pop up requesting access to their data. This is an internal app, only for this particular organisation.
No, there are not service accounts. There are 'Chatter' user licenses that are free but have reduced functionality: http://www.salesforce.com/chatter/getstarted/?d=70130000000tRG7&internal=true#admin
FAQ: http://www.salesforce.com/chatter/faq/
We intend to develop rest based api. I explored the topic but it seems, you can secure api when your client is an app (So there are many ways, public key - private key etc). What about websites / mobile website, if we are accessing rest based api in website which do not use any login for accessing contents ( login would be optional ) then how could we restrict other people from accessing rest based api ?
Does it make sense using Oauth2.0 ? I don't have clear idea of that.
More clear question could be ,How can we secure get or post request exposed over web for the website which doesn't use any login ?
If it's simple get request or post request , which will return you json data on specific input, now i have mobile website , who will access those data using get request or post request to fetch data. Well, some else can also access it , problem is i am not using Login, user can access data directly. But how can we restrict other people from accessing that data.
What do you think is the difference between securing a website that is not using REST vs one that is using REST API?
OAuth provides authorisation capabilities for your site, in a REST architecture this means a user of the mobile application will have to provide their credentials before being allowed to access the resource. The application can then decide on if that user has access to the requested resource. However you've said your website doesn't need use authorisation.
You can use certificates however good luck managing the certificate for each client. My take on it is for your explanation you don't need to secure your website because you will never be able to manage a trust relationship between the client and the server. There are some options though:
You build your own client application that you ship out to people which can verify itself with the server using a packaged certificate with the client. E.g. iOS has this kind of feature if you build for that device.
You provide a capability to download a certificate that is 'installed' in the browser and used when communicating to your REST API
Use something like a handshaking protocol so when a client wants to make the first request it says; 'hi I'm a client can we chat?' And the server responds with 'yes for the next X minutes we can however make sure you send me this key everytime you tell me something YYYYYY' (you can use something like SecureUDID or equivalent for other devices than iOS).
There are probably others but you get the basic idea. Again in my opinion if your resource doesn't need authorisation then you don't need to secure that REST API. Can I ask what kind of data are you exposing via this REST API or functionality your providing? That might help provide a better answer.
You want authorization: only some agents (mobile clients) and/or users should be allowed to access those APIs.
To solve that problem, you need identification: a way for the server to tell who is who (or what), so the right decision can be made.
There are many different way to provide some form of identification, depending how much you care about security.
The simplest is a user agent string, specific to your mobile clients. But it can be faked easily. Slightly harder to fake are client based 'secrets' - embed some kind of secret or key in your mobile client code. You can make it really complicated and secret, but as ramsinb pointed out, you can't get security this way as it would require you to be able to guarantee that the secret you're shipping with the client (wether it's code, algorithm or any other fancy construct) can't be compromised or reverse engineered. Not happening when you don't control the client.
From there, 3 choices:
Security isn't really required, don't bother
Security isn't really required, but you still want to limit access to your API to either legit users/agents or people ready to invest some time hacking your protection - go with a specific user agent or a client embedded secret - don't invest much into it as it won't block people who really want access to get it anyway
Security IS required - and then I don't think there is a way around authentication, wether it's login/password, user specific (device specific?) keys, OpenID, etc... No matter what, you'll have to add to the user burden to some extent, although you can limit that burden by allowing authentication to persist (cookies, storage....)