All geek questions in one place

Authentication for client side APIs?

Iโ€™m thinking of the Google Static Maps API, which limits you to 1000 static maps, even if you sign up for an account. How do they track bills, etc. When is everything on the client publicly available?

For most server-to-server APIs, access_token / key / etc is provided to me. which I can pass to the service to prove that I really am, but on the client any such access_token / key / etc. immediately become well known.

In general, what strategies for client libraries (FB SDK, Stripe, Google, etc.) are used for authentication and how do they circumvent the fact that everything on the client is public?

+4
source share
1 answer

You can configure your API key to be whitelisted on the host that tells Google Maps that it only allows you to use the API key from the site sending which matches your whitelist.

If any other site uses your API key, it will receive this loading error message:

This website needs a different Google Maps API key. A new key can be generated at http://code.google.com/apis/maps/documentation/javascript/v2/introduction.html#Obtaining_Key .

You can verify this yourself using the RefControl extension for FireFox:

This works because:

  • Almost all web browsers send the referrer (i.e. the URI of the resource that refers to it) as part of the request.
  • In order for someone to steal your API key (since, as you say, this is a public line), they will need to tell all their users to redefine their sources to match the site on which they stole it (which is clearly not practical) .

Please note that Google seems to allow requests that do not contain a referrer - I think the number of browsers configured to exclude this information is small and therefore should not be taken care of.

+1
source

Source: https://habr.com/ru/post/1411832/

More articles:


All Articles