I want to write an internal REST API which returns some json data. How can I protect that API call, that it only can get called by the same domain? Should I do it with a dispatch listener?
Thanks!
You could indeed create a guard (an event listener). You can have a look at BjyAuthorize to see how it's implemented there: https://github.com/bjyoungblood/BjyAuthorize/blob/master/src/BjyAuthorize/Guard/Controller.php
Other than that, I'm not sure but how about trying server things? Like Same Origin Policy or CORS headers?
Related
I was reading up on how to create a telegram bot and I see that to set a web hook you use the GET http method. I assume that your link will be stored somewhere on telegram servers.
So now my question is:
Why not use the POST http method? What is the advantage of this design of using GET http method in this case rather than POST http method for something that pushes data?
Bot API supports GET and POST HTTP methods both. It's up to you what to use. (See this or this). I think it makes the API easy and fast to get started with.
For the sake of simplicity one might choose a simple GET request to set a webhook - Put together a Url with some parameters and call it in a web browser, done! Webhook is now set.
Still it is possible to do the same with a POST request (and you can argue it is the preferred way to do so). But it would need tools like Postman, CURL or some browser extensions.
I'm playing with the swagger editor, the pet store example, and the API there contains this message under each endpoint:
This is a cross-origin call.
Make sure the server at petstore.swagger.io accepts POST requests from editor.swagger.io.
OK, so I go to http://petstore.swagger.io , but where exactly do I set the CORS there? I don't see it.
Thanks.
We have existed API like
/api/activiation_code
each time, the activiation_code will be different, then server will create a token for this call and return it, usually each call will have different activiation_code which return different token.
Since this API need server to create something so it is designed as POST.
Can we design this API as HTTP GET ?
What is the pro and cons ?
You could design the API to support GET requests, but I would not recommend this. If your API is accessible via a website, a user could accidentally activate an account multiple times since the URL will be stored in the browser's history. Additionally, web crawlers could potentially supply values to your API through the URL if you support GET requests.
POST requests are much better because the information is included in the body of the request, not the URL. Thus, it is much less likely that something will go wrong accidentally.
We create web project with RestFull+OAuth.
Its looks good - client sent token for each request in header Authorize.
But for some request we can`t add header.
For example when we print some image or document.
Because we use window.open - at our disposal only GET params.
At now i see one way - for that request add token to UPL as get params(?token=xxxxxxx) and not show url line in child browser window.
But i think its not good way.
Maybe somebody have other idea or practicals of implement it.
putting token in URL is not good way as it will be public in network and any one sniffing on your network will get the token, I think you have to make revers proxy on your server to get the file you want by after checking session attribute to be sure you are authorized for that.
I am building a rest api in mvc. When consuming the API, I need to be able to get the referring URL that is calling the service. I have tried Request.UrlReferer and it comes back null. How can I get the url that is consuming the service?
Are you sure you don't mean in the consumer you need to know the referer of the client making the REST call?
If this is the case what you need to do is look at the request header and extract from it the Referer.