API Security and Multiple Front Ends

How would I go about securing the API so that only pre-approved clients can use it?

Say, my system has several clients: two web applications, two Flutter mobile apps, etc… All these front ends need to use my Adonis API. How do I secure the API so that only these specific applications can use them?

I see some settings I can change for Web clients. But, what about Mobile apps?

Thanks.

How do I secure the API so that only these specific applications can use them?

I am sorry to disagree, but there is no common sense between the criterion you mentioned and web applications security.

On the other hand, I do not think what you are trying to achieve is wise from the UX perspective: Why do you want for example to punish the user from accessing your application from this or that client ?

Security must never be done at the expense of the user experience.

This is a classic case of Security through obscurity.

1 Like

Oh no. What I mean is like, how do I go about implementing some kind of API key mechanism so I can control which applications can access my API.

Kind of like how third party APIs require you to register to get an API key to be able to use their APIs.

I’ve seen that some people has issiues with you wanting to restrict your aplication.

I do not agree with them, since there could be a multitude of reasons wanting to secure the app, one of them not having unlimited resources where api-calls are made every 0,1s. I think you should look towards oAuth. I do not know if there are any pre-made solutions for you thou.

Precisely. I have some API endpoints, like my registration endpoint, that I want to make sure only my own client apps can access. I don’t want some third-party accessing that endpoint to make several accounts on my system without my approval, for example.

Laravel could automatically handle this using Laravel Password package. I was actually wondering if Adonis had some kind of equivalent. As in, Laravel Passport has pre-built functionality to register client apps and generate API Keys for said clients.

So, like, I was wondering if Adonis has such an equivalent.

In short: It does not matter and it will not protect you.

Longer:
It does not matter if you try to restrict access to certain clients only or not, since everyone can still use it.

Let’s you put client token inside your client code. All it might do is keep away some really basic bots. But if token exists in client side code, malicious user can take this token and put it into their own code / client and use it from there.

They could also inspect requests and see some tokens moving. Steal it and use it in their own client.

Mobile apps are little but more secure, since inspecting mobile app requires tools, not just regular browser and F12 (in most cases) button on keyboard

What I also see a lot is that people make proxy, hide token in there and let their own clients do requests to this proxy not to API directly. But it would allow anyone to do requests to this proxy, thus protecting nothing.

You can build some fancy obfuscated method so that your token changes every time on both side by some algoritm. It will make things little bit harder, since it would take some time to normalize / deobfuscate it, but that’s about it.

What I’d suggest you to do is rate limit requests, so one client can’t do 30k POST /login requests per sec