Wanze.8410 Posted September 13, 2017 Share Posted September 13, 2017 These days there is a wide variety of Apps with different purposes that require an API key. Some of them require name-specific API key and some dont. ProblemPlayers share API keys for a variety of reasons these days but even, if they give it a specific name to use it for a specific app, other players can still use these API keys on Apps that dont require a specific name and they might reveal more information than intended.SolutionMake naming API keys a requirement for creation in our account menu and use on different apps. Link to comment Share on other sites More sharing options...
Zok.4956 Posted September 13, 2017 Share Posted September 13, 2017 Every API-client can request API-data from a user with a valid API-key. So the user should be careful which app to trust for giving it his API-key. The given name within an API-key does not change that, because there is no client-identification or authorization of a specific client-app in the API.I think a better and (more) secure solution would be, if an api-client can generate a public/private "app-client-key" and then shows its users its own public-app-key.And then the user can "bind" his/her own api-key to a specific app-public-key within his A-net account administration.And if a user-api-key is bound to a specific app-client-key, then the API-server from A-Net only allows requests for this key, if the requests are validated with the correct app-client-key. So the authorization and authentication is only done on the API-server-side by A-net (the only API-side we should trust).Only then a "misbehaving" api-client can do nothing with this user-api-key. Link to comment Share on other sites More sharing options...
Lawton Campbell.8517 Posted September 13, 2017 Share Posted September 13, 2017 Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.Also I don't have any freetime these days to rework the entire API key system :( Link to comment Share on other sites More sharing options...
Wanze.8410 Posted September 14, 2017 Author Share Posted September 14, 2017 @Lawton Campbell.8517 said:Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.Also I don't have any freetime these days to rework the entire API key system :(I guess you meant that you havent found a way yet.Cant you just make the API key name a required (variable) permission? Link to comment Share on other sites More sharing options...
Malediktus.9250 Posted September 14, 2017 Share Posted September 14, 2017 I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory Link to comment Share on other sites More sharing options...
Elfo Bianco.3786 Posted September 15, 2017 Share Posted September 15, 2017 @Malediktus.9250 said:I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatoryI totally agree with Malediktus.9250 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.