We have existed API like
/api/activiation_code
each time, the activiation_code will be different, then server will create a token for this call and return it, usually each call will have different activiation_code which return different token.
Since this API need server to create something so it is designed as POST.
Can we design this API as HTTP GET ?
What is the pro and cons ?
You could design the API to support GET requests, but I would not recommend this. If your API is accessible via a website, a user could accidentally activate an account multiple times since the URL will be stored in the browser's history. Additionally, web crawlers could potentially supply values to your API through the URL if you support GET requests.
POST requests are much better because the information is included in the body of the request, not the URL. Thus, it is much less likely that something will go wrong accidentally.
Related
I am making an api backend that makes use of another api,for example Twitter. (Please note the actual api isn't twitter but I am using them as an example).
Let's say that Twitter has a limit on the number of calls that can be made to their api and above this limit, it starts to charge my credit card. This is why it is very important to me that no one misuses my api.
I want to prevent people from looking at my frontend code and seeing which endpoint it hits, because if a malicious person were to do this, I would very quickly go over the limit and have to pay $$$.
My frontend code uses a get call to mybackend.com/twitter/api
Is it enough to simply add an Access-Control-Allow-Origin header to my backend?
headers['Access-Control-Allow-Origin'] = 'myfrontend.com'
The reason I am asking this is because I noticed that typing mybackend.com/twitter/api directly into the browser worked, which is not what I would expect if I had access-control-allow-origin set to a specific website.
Am I doing something wrong? How do I prevent someone from simply writing a script to hit my backend since it is clear that just typing it into the url of my browser works, despite me having an access-control-allow-origin header.
There are two possible solutions for your problem. You can try to implement a request signature for your API, to know exactly the source of it on your backend. You can take a look on how this works here.
The second option, and for me, a one witch fits your problem better, is to set up a Denial of service approach on your server Load Balancer to prevent multiple requests from a same origin, and so, don't let those kind of malicious requests hit your backend.
I'm drawing an architectural blank on good ideas of how to handle token authentication.
We have phone apps that generate REST requests to our backend API (rails).
Right now varnish is in front of our API and it's working great, however there's a gaping hole in how we handle auth: we dont.
I'm not looking to get flagged for asking for someone to solve it, I'm just asking from a high level how some have.
The phones create their device in the app via POST and get a unique token. They submit that token in all their other GET requests via Authorization: OAuth {token}. Our rails API handles this fine, but since the GETs are cached through varnish, we've hamstring'd it.
Due to performance we want to not cache each response per phone. The responses across the phones are all the same. If I were to add the token header to the hash in vcl_hash, that means that if 50 phones were to request /a/1, then we'd have 50 of the same items in cache, and the backend would get 50 requests. We'd like to avoid that.
I'm at a blank on how to authenticate the clients on a group level of some method.
Not sure if helpful:
Varnish 3.0.7 is what we have. Not against 4, just havent.
Every client goes through varnish, however we only care about User-Agent being android/ios. That part is done, anything else just goes straight to the API.
Given the previous point, it's safe to assume that all clients that we would hash/cache would have the same authorizations. It's purely the auth token issue. ie. All clients with a token we would just check to make sure it's valid and give them the cached resource. There will never be different resources across the clients using tokens.
If I'm understanding correctly, I see a couple potential approaches.
1) You can set up a backend that does nothing but validate the user - have Varnish validate anything that has not been restarted, and only after validation return the cached resource. Here's a good blog post that gives some VCL to get you started.
2) This is more speculative on my part - you can use ESI (Edge Side Includes) in Varnish to do the Auth. What I'm not sure about is if there's a way to kill the request or pass a failing status code from within an ESI fragment. If not, you'd end up returning the content even if the auth failed. Messy.
My client redirects to a https://domain.com/Controller/GetInfo?Querystring method. Now my query string is getting dangerously close to the 2K limit, so I need to reproduce this behavior but pack my query string into the content of the messages. Since it would be heresy (etc.) to try a GET with content, I'll use a POST. However, I can't redirect to a POST since a Redirect has no content.
So, what I am looking for is the best MVC 5 pattern to resolve this: I need to provide lots of content, but I want the resulting page hosted on my remote server (i.e. as if I had redirected)
Also, since I use load balanced servers in azure, I'd prefer maintaining my clean stateless server if at all possible (else I'll have to introduce session caching).
#AntP is absolutely right in the comments above. If your query string is approaching 2K, then you're abusing it.
If there's a particular object you're referencing, then you can simply include the id or some other identifying piece of it and use that to look it up again from your data store.
If there's no persistent record of the object, then you can use something like Session or TempData to store it between one request and the next.
Regardless, it's not possible to redirect with a request body, with also means it's not possible to redirect using POST. The reason for this that the a redirect is not something the server does, but rather the client. The server merely suggests that the client go to a different URL. It's then up to the client (web browser) to issue a new request for that URL. Since the client is the one issuing the request, it makes the decision about what data is or isn't included in that request, not the server.
I am building a rest api in mvc. When consuming the API, I need to be able to get the referring URL that is calling the service. I have tried Request.UrlReferer and it comes back null. How can I get the url that is consuming the service?
Are you sure you don't mean in the consumer you need to know the referer of the client making the REST call?
If this is the case what you need to do is look at the request header and extract from it the Referer.
Is there any way to inform web site has been changed?one way is get all web page contex and compare it with previous contex!but Im looking for solution that notify web page changes without get page context!
The only way that you could tell a website had changed without accessing the content is for the website to notify you itself, through an API or RSS feed or similar mechanism.
Unless the site in question has a mechanism to actively notify you...
You don't necessarily need to get all site content, but you do need to make a request to the site. You can make a HEAD request to get only the headers. Depending on the site, these headers may contain information about when it was last modified.
Additionally, you can check for a response of 304 Not Modified if you have content cached. This is more often seen with a HEAD request than a GET request, but can be used either way. Like with any request, of course, it depends on how the server decides to respond.
You can look up the standards easily enough, and how you make use of these options depends on what technology you use. But basically a HEAD request is simply asking the server, "Don't send me the page, just send me some basic information about the page." And checking for a 304 response is basically asking the server, "This is when I last accessed this resource, has anything changed?"