My Requirement
I am making a website which will have mobile version as well. So, I am making it API centric. Now I want to make my API secure without the complexities of OAuth because the security I need is quite simple. I don't want anyone with access to the api links to be able to access my data.
So, I came across this article http://ift.tt/xe1ase which is quite amazing and cleared most of my doubts.
Right now, I am trying to recreate whatever is there in the article. I am using Laravel 5 framework for PHP for development.
I want to make sure that the API is being used by the mobile app and the web version only and no one else. I have seen api links like
http://ift.tt/1GXIKNq;
Now, I understand that this key is generated by using hash_hmac() function in php.
My Approach
- I have a table where I am storing the publicKey and privateKey for my api users
- That HashKey in the URL is generated by hashing the privateKey and the publicKey in the client side and then sent to the server. So, i send the generated Hash along with the publicKey to the server.
- In the server side, I take the publicKey and the Hash. I retrieve the private key from the table corresponding to the publicKey and has them and check if the resulting hash is same as the hash send by the client
- If it is same, then I give permission to them, else, I don't.
My Confusion
-
I am not sure if this is the right way to do this.
-
Can we get the data that has been used to generate the hash using
hash_hmac()by decrypting the hash?
Aucun commentaire:
Enregistrer un commentaire