Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 months ago.
Improve this question
Hey everyone, I run an image hosting website and I'm designing an API for it. My concern is that I don't want anyone to be able to do something like:
while(true) {
Upload();
}
and spam/DoS the site.
My current solution is to limit all IP addresses to a certain amount of uploads per day/hour. I believe this will work fine for desktop applications that will use the API, but for websites that wish to use it, all the users will have the same IP (the server's).
I suppose the best solution would be to have user accounts that authenticate with the API, and then ban each account if they abuse it. The problem with this is that my site has no user accounts at all, it's all completely anonymous.
What else can be done? I would like to keep things as open as possible, while at the same time have the ability to ban users/IPs who are obviously abusing the service.
If you don't want to implement user accounts, how about having those that want to use the api sign up for an api key/secret, which you can use to rate limit with.
Check out OAuth.
Check out an open source API management tool like apiGrove; apiGrove.net or on GitHub at apigrove.github.com/apigrove. apiGrove supports a variety of approaches to API protection, including IP whitelist and authorization by key.
At one company I worked for, we implemented throttling for all non-paying customers, with a limit of a certain number of requests per day, theoretically configurable per API endpoint. If You had to supply a unique ID as your application key in each request, in the QueryString for lightweight APIs or in the POST request XML for more complex APIs. For end-users not using a public API, you could pass an authentication token instead.
If you supply a public API without requiring some kind of authentication or authorization, you'll have to resort to IP-address based throttling. But it's not hard to create a lightweight provisioning web page that allows people to sign up for API access.
Your application logic can throttle based on number of requests, like we did, or daily bandwidth, like Flickr does.
Require a token to upload, and restrict the token with a CAPTCHA. Consuming code would be something like:
// 1st request
var uploadToken = api.RequestToken(sessionIdFromUser);
if (uploadToken.RequireChallenge) {
// requires challenge due to per IP limiting
// uploadToken.Captcha could be a URL
DisplayView(uploadToken.Captcha, uploadToken.SessionId);
return;
}
api.Upload(uploadToken, captchaFromUser, byte[]);
As others have mentioned on this thread, API keys is often the way to go in such situations. The fact that your site has no user accounts doe not matter: an API key identifies an application, and not a user. (In fact, if your site did have users, you woud need separate mechanisms to identify the app and the user in an API call - this is where OAuth is very helpful).
If you do not want to create your own developer registration process, API key issuing process, throttling code, etc., I would encourage you to take a look at my company, WebServius (www.webservius.com), that provides a hosted API management layer on top of an API you provide.
For APIs developed in .NET, you can use API Protector .NET.
See this answer: https://stackoverflow.com/a/56075128/1679165
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I have gone thru the documentation of Account Linking but I am still unclear about the mechanics on how to build an action using a API that I do not own support Oauth2.
Let say, I want to allow Ebay users to ask "Hey Google, ask Ebay, has my order shipped?". With that question, I need to access user transactions on Ebay via API and I have no control over how Ebay OAuth2 endpoints and parameters.
Please let me know if you have done it or know a good example. Eventually, I will want to call API from various sites (some kind of mashup).
You will need to approach this in two parts - having an account in your system for each user and linking your account to their Assistant account.
The account in your system will store the credentials you need from them (usually an OAuth token) to access the API for a service on their behalf. This is typically done by having them log into your website and authorizing you to access the other service through an OAuth dance.
In the second part, the roles are slightly reversed. The Assistant now needs to get authorization from the user to access your service through an OAuth dance of some sort. This is what Account Linking does - it gets an OAuth token for your service to the Assistant so it can pass it to you and so you can verify who the user is.
Once you know who the user is (through the Assistant), you can then access their account on your service, get the auth tokens you need to access their account on another service (such as Ebay), and perform those actions.
In some situations, you can verify who the user is without Account Linking. The easiest is to require the user to sign into your service using Google Sign In (or otherwise get their Google account authorization to your service) and then use Google Sign In for Assistant to have the Assistant verify to you which Google account they're using. As above, you can then look up this account in your system and get the authorizations you have for the other services.
Our ReServe Interactive Social Tables account/app (unleashedadmin#reserveint...) has been authorized for the Layout Automation API endpoint. Does this authorization extend to all users of the API (the other Social Tables users that authorize and communicate to Social Tables through our application)?
Access to the /4.0/layout-automation endpoint set is currently gated on the requesting user's team's product access. This means that as of today (9/7), the endpoint will reject requests made with OAuth bearer tokens on behalf of users who do not have access to the product, event if the tokens were issued to an app belonging to a team that has access.
It sounds like your use case involves invoking layout automation on behalf of your end users, and we want to support it. We are treating this lack of access propagation as a bug, and will be rolling out a resolution and responding to this thread as soon as possible.
Thank you for your patience, and for helping us improve our platform.
I have a web application backend for my clients web site. Authorised staff can log in to the backend and view data.
I want to pull some data from Google Analytics to be viewed in the backend, but GA seems to insist that the user is logged in to their Google account themselves using OAuth2
I want to be able to authenticate the server not the user. They already have permission and it seems unnecessary and possibly intrusive to ask them to link their Google accounts to the GA account and possibly even have to create one first.
The server already has to supply a client id, client secret and an api key, so it's not as if there isn't already an authenticated connection.
I'm guessing that there must be a way to pass the Google Analytics account credentials to OAuth2 somehow but I am not that familiar with OAuth2
Is this possible and how would it be done. A simple example or a nudge in the right direction would be appreciated
There are similar questions around but the ones I have found do not answer my question in the way I need.
Yes you need to store the authentication, but you may be able to use Google Analytics Super Proxy for your needs. At the very least you can see its code on how it stores the authentication.
You authenticate once, input the data you need scheduled from the GA Reporting API, then take the data feed and use it to build charts in your intranet. Any user can view those charts without needing to login to GA themselves.
Can I use Adwords API developer token for multiple applications? In more detail, say if I have a website where I am using adwords API developer token, Can I use the same token for another application. Ofcourse both applications accessing the same account after all.
Thanks,
Murali.
You can use the AdWords API across different applications with just one API token, just make sure though that you are caching the authentication response and re-using those tokens otherwise you'll hit the throttle limit. (Incidentally, logging in is possibly the slowest part of their API, so caching the response will speed up your application considerably)
No doubt you can use same development token for your multiple applications which are accessing same account. If your applications will access different account then it needs to get different developer token.
For the reference, you can read http://goo.gl/zLBPF
Hope it will help you.
Murali,
You need just one developer token, whether your application(s) access same account or different accounts (whether linked under the same MCC hierarchy or not). As a matter of fact, AdWords API Terms and Conditions explicitly prohibits you from getting more than one developer token.
If you use a developer token to make calls, you will be charged for API cost to the account holding the developer token. This is another reason why you should treat your developer token as a password and should reset it immediately if you expose it to the public by say, posting it publicly on a forum.
I also wish to point out that the official AdWords API forum is http://groups.google.com/group/adwords-api, you can ask your questions there and someone will answer your questions in a day or two.
Cheers,
Anash
Yes, Adwords even has channels that you can create to separate your ad campaigns
Adword Docs - Campaigns
I like to build a system that will allow users to "commit buy" a deal, but will only be charged after a minimum # of committers are reached. The time span in which the "deal" will continue can be either weekly or monthly.
I like to stay away from building one from the ground up as much as possible.
I know there's another thread on StackOverflow that asked paypal, amazon, or google checkout API to serve this purpose, but this seems too much like a hack?
I did some reading on using a gateway like Authorize.net to process credit card information and they can store the user information and has a service like pay-as-you-go. Would using their API be a better choice? Can their pay-as-you-go method provide the system that I'm looking for?
I did some reading on using a gateway like Authorize.net to process
credit card information and they can store the user information and
has a service like pay-as-you-go. Would using their API be a better
choice?
I have used Authorize.net for recurring payments and it is easy to implement if you are fluent in working with a web service (regardless of language). You can integrate with them without the user needing to leave your website and without storing the user's credit card information.
However, you will be receiving the user's credit card number to implement such a model, and there are still precautions to be taken (versus redirecting to a secure third party site to receive the number).
Refine your question to be more specific to receive more specific answers.