I have a same issue for this : here
According to answer, master key can response all data for my request.
Actually, I already have tested with master key : youtube-dl and I can get all data(specific user's track list).
So I wonder how to get Soundcloud master API key. (I already have normal API key. but I can't get a specific user's track list)
Thanks.
You don't. SoundCloud's master key is for their apps, not for anyone who registers an application. No API client can or should have a master key. The developers of youtube-dl have managed to reverse engineer the iOS app to get the master key from there, but that is a violation of SoundClould's Terms of Service.
My answer on the linked question went into detail on the different types of responses that are returned from the server using different keys. This approach was purely experimental and should not be used in production.
Related
I have my public API running on AWS API Gateway, and now I want to add API keys to it, basically to see "who is using which endpoint and how many time per month/week/whatever". My API already has user management logic, with its own users db table.
The part I need help with is the analytics part - say I have this up and running, I need to be able to extract some sort of report saying, for each user (by name), how many calls were made to each endpoint. So far, the closest I've gotten was https://stackoverflow.com/a/52361117/1514576 which gets me the info I need by API key. The part that I'm missing is how I could potentially cross-reference this data with my "users" database table.
I was hoping one of you had faced a similar problem and could share how you handled it.
I have seen the demo in WWDC18 related video here:
https://developer.apple.com/videos/play/wwdc2018/303/
but it is not from the scratch. I don't see that which tool they have used and where we need to start it. Can anyone help with it?
I watched that video too today and I wanted to use these API features, as for now 19-6-2018 this is still marked as coming soon... based on the App Store Connect website https://developer.apple.com/app-store-connect/
In addition, the new API Keys tab under the main App Store Connect is not available yet.This is the starting point to issue / create the API keys.
I am on look out and waiting...
The App Store Connect API is now available. You can find out more here:
https://developer.apple.com/app-store-connect/api/
The general steps are:
Request access to the API.
Your Team Agent (with the Legal role) will need to do this part.
Create and download an API key.
Anyone with Admin access can do this. Each key you create can only be downloaded once, and should be kept safe.
Use the information on the Keys tab + your private key to generate a token.
You can find libraries for many languages to make this easy here.
Supply the JWT as a bearer token in the HTTP Authorization header when making requests.
For example:
GET https://api.appstoreconnect.apple.com/v1/apps
Authorization: Bearer XYZ123
Where XYZ123 is your JWT. (Your real JWT will be much longer.)
Available API endpoints are documented here:
https://developer.apple.com/documentation/appstoreconnectapi
App Store Connect API available here now.
I have some REST services on my site that will be available for 3rd parties to access.
My plan is simple. In order to call on these services, they need to request a key from me. I will privately supply them with a GUID. Each call to any of my services will, via a filter, check the header for the key and accept/reject the request accordingly.
This site is all HTTPS so the key would be encrypted during transit. I'm not worried about the key being visually identifiable to authorized clients. In other words, I'm not worried about any kind of 'inside' attacks or people sharing the key. I just don't want random, unauthorized outside users.
I have looked around and I don't really see anybody doing it exactly this way. I feel like I'm over-simplifying... but on the other hand, I don't see what's wrong with it either.
My question is.. does this sound secure enough (from a basic/minimal perspective) or does it expose some gaping security hole that I'm not seeing?
FWIW - I am using the Spring Framework, including Spring Security 4.
Thanks!
If it's HTTPS and the API key is in the header encrypted during transit as you described etc, then it follows a pretty standard design authentication pattern.
Your security now depends on how you distribute and store your API keys.
Although, you could use an "Application Identifier and Key pairs" approach.
Whereas the API Key Pattern combines the identity of the application
and the secret usage token in one token, this pattern separates the
two. Each application using the API issues an immutable initial
identifier known as the Application ID (App ID). The App ID is
constant and may or may not be secret. In addition each application
may have 1-n Application Keys (App_Keys). Each Key is associated
directly with the App_ID and should be treated as secret.
Just in case you wish to extend the application in the future.
Using this link I can see that my (tonylampada) id on github is 218821
https://api.github.com/users/tonylampada
How could I do the opposite? Given the user id = 218821, what's the username?
Update
Answering nulltoken here because it's a long story and it won't fit in a comment.
FreedomSponsors is a django application that uses django-social-auth to enable login with Github (and others).
(You should check it out, btw, please see the about page in the blog :-)
Django-social-auth has a configuration flag that allows the application to store the github username on the database.
A few days ago I deployed a new version of FS with github login enabled, but with "storeGithubUsername" set to false.
A few users registered their github accounts, and now the database has their github ids, but not their usernames.
You can se in my profile that I have github as a "connected account" but there's no link to my github page.
I need it to make the link point to https://github.com/tonylampada
I'm ready to deploy a new version that fixes this, by setting the "storeGithubUsername" (that's not what it is called, I'm just simplifying here) to true.
But I'd like to patch the database with the already github-registered users. I have their github ids, but not their github usernames.
We need to do this on Gitter to deal with the situation where a user has changed their username on GitHub and we get a 404 response when querying their old username.
Here's an undocumented endpoint, so use as your own peril, but it does work for now.
Use the endpoint: https://api.github.com/user/:id, where :id is the ID of the user.
Similar endpoints exist for repos and orgs, at
https://api.github.com/repositories/:id and https://api.github.com/organizations/:id respectively.
Note that the new repository redirects preview API only supports repositories, not renamed users or organizations. In fact, the HTTP 301 redirect actually points to https://api.github.com/repositories/:id, so there's a good chance that these "ID" endpoints may in fact become official soon.
There's no documented feature, nor undocumented ones that I know of, that expose the retrieval of the username from the id. From the GitHub API consumer perspective, the user id is an "implementation detail". The real key is the username.
From what I understand, you only require a batch of usernames given a list of ids. And this would be a one time only request, not a permanent need.
As your request seems legit and limited in its scope, you might get this answer directly from GitHub support by dropping them an email at support#github.com.
Indeed, xpaulbettsx, a GitHubber, even tweeted about this:
Support# is good for Anything you want to tell GitHub - bugs, features, high 5s; everything but security which go to security#
By the time I answer this question, the method that works is:
https://api.github.com/user/USER_ID
Remark: It is similar to what Andrew shared in 2015; you just have to remove the colon in the URL he shared.
I'm using FB.Connect.createApplication (http://developers.facebook.com/docs/?u=facebook.jslib.FB.Connect.createApplication) to create applications on the fly. The problem is that the method doesn't return the API secret (only the app ID and api key). This is a big problem. Does anyone know if it's possible to fetch this data provided you have the application ID and API key?
Thanks
I dont think so. I know that some other APIs try to make secret keys nearly impossible to get through scripted methods for security. Not sure about facebook but from the forums it seems like the createApplication() method was rolled out before it was completely finished. The consensus on the dev forums is that it will get rolled out ... eventually.
Found out that what I'm trying to do is impossible. The next best solution is to create a child application, and make calls on its behalf (from the parent application).