Secure the API

Create issue
Issue #12 new
Jelmer van der Linde created an issue

Currently anyone who knows how the API works and can obtain your session-id from a cookie could obtain information about you through the API unnoticed.

The cookie is side wide intentionally. It was ment as solution for the problem that you need to log in to the SD and the website individually. Due to the introduction of https for only the website this hasn't been solved yet. (I want a wildcard certificate, and I want it now! ;) )

One way to have more control on who uses the API is to introduce API keys & secrets. Simply put, each application which wants to use the API has to send an API key with each request as well as a hash of the request hashed with its secret to sign the request. This way only when an attacker obtains the secret he/she is able to hijack the key but the secret is never transmitted in any of the requests.

Currently intercepting requests between an application and the website isn't easy since all uses of the API are limited to the Cover server itself but maybe in the future people would want to use the API from their personal domain to extend the utility of the website itself. And personally I would love to see such implementations and want to make sure that this would be possible.

.. really we should just use OAuth but that is so horribly complex :(

Comments (2)

  1. Marijn Pool

    With this it would for example be possible to login with your Cover-account on an event(LanCie) website and let the sign-up form be automagically filled with that user's data?

  2. Jelmer van der Linde reporter

    You can. We currently have this already implemented on the Merchandise website. It does not allow you to login but since the cookies for the Cover website are domain-wide, you can use that session if the user is already logged in on the main website. See the code in cart.php:

    $user = get_cover_session();
    if ($user)
        $naam = implode(' ', array_filter(array($user->voornaam, $user->tussenvoegsel, $user->achternaam)));

    The functions you need for this are implemented in include/session.php

    If you do want to build a login system you could use the code of the Documents & Templates as example.

  3. Log in to comment