J4 secure API token for external use

[GhiaMar]

Hi! I'm developing a component to get my mobile apps to contact my Joomla server to add some data to the site. As the API request will be done in a mobile app code, I wonder if it's possible to restrict somehow my Joomla user API token to filter requests from outside the mobile app. I mean, ¿what happens if someone disassemble my app and is able to get my Joomla user API token?, it will be possible to forge API calls from anywhere.

I wonder if there's some feature like google dev console that let you restrict the use of an API credential to specific domains or apps.

Thanks!

[MarkRS]

I think the user token isn't, and isn't supposed to be, a robust solution. Looking at other information about this the last I've seen is George Wilson saying he's "sure" that third party oAuth solutions (for example) will become available. I haven't seen any, but then I haven't really looked.

I'm in a similar (but clearly different in significant ways) position to you but using Play Store tokens to verify any important data transfer.

[GhiaMar]

Thanks @MarkRS! Would you share some code to be able to implement that functionality? I mean the Play Store thing.

[MarkRS]

The PlayStore thing is quite involved.

You put code in your app to make a purchase. The store returns the sale details, which includes a token, on successful purchase. The store also sends a message direct to your webserver which needs to acknowledge it and then it receives all the information, including (?) the token which you store and then compare with what comes from the app.

That way you've got a token that users haven't had a chance to tamper with, via a route that the users don't have access to, that you can compare with what the app sends.

You need to use the Google Billing Client (https://developer.android.com/reference/com/android/billingclient/api/BillingClient) in your app.  Follow that link, it explains it all and gives links to the other bits you need too.

It's not very simple, but we are programmers, so that's fine :)

[Martin Briglia]

Great! Thanks! My model in the app is to let the app register in my J server it’s push token given google or apple, I don’t know if it’s worth all the effort.

--
You received this message because you are subscribed to a topic in the Google Groups "Joomla! General Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/joomla-dev-general/mjCKQn2ohNY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to joomla-dev-gene...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/joomla-dev-general/c83adeb5-6237-40d7-a0a2-a1265d0bd57bn%40googlegroups.com.

[MarkRS]

I've just found oAuth code in the J4 core.

If this is still a thing for you check out /libraries/vendor/joomla/oAuth1 and ...2.

Dunno how it works, but perhaps you can work it out (and publish a document on how to? :) )

[GhiaMar]

Cool, can you share some oAuth docs? because I really don't have experience with that. Anyway, my implementation requires no interaction with the user, because I need my app to send push tokens to the server so they can get saved for future push notifications

[MarkRS]

It's not (just) the interaction with the user that you need to pay attention to, it's how hackable it is, and anything that's sourced from the app can be hacked, and you should expect it to be.  The good thing about the purchase token is that it's not sourced from the app, and you have one copy that arrives by a separate route. However, I know (?) that you're not dealing with purchases, so of that token is sourced from your app and then simply passed on by the Google Store hackers have a potential route in.

I'm afraid I don't have any oAuth experience, I only know of it, and saw that there is code in the J4 core. I'm happy to help you work through it if you like, but I'm starting from scratch too.