05-30-2018, 06:59 PM
I thought I'd go ahead and add my own reply to explain how I solved this problem just in case anyone searching is having the same thoughts. After a nights rest I realized the implementation is much simpler than I had originally thought.
First, I went ahead and modified usersc/scripts/during_user_creation.php to generate an API key for each user upon registration. You can read more about cryptography and the generation of secure API keys here. I went with a simple approach:
Then, I went ahead and included a hidden input within the pages that I will be using my API on.
Now, via JS and AJAX I will be able to grab that API key from the hidden input and make calls to my API. Upon every request to my API, the key is checked against the database to ensure that the key exists. Assuming your key generation method is secure, there will be no way for anyone to make anonymous requests to the API - all calls to the API will be able to be traced to a username in the event of abuse.
First, I went ahead and modified usersc/scripts/during_user_creation.php to generate an API key for each user upon registration. You can read more about cryptography and the generation of secure API keys here. I went with a simple approach:
Code:
$key = bin2hex(openssl_random_pseudo_bytes(16));Then, I went ahead and included a hidden input within the pages that I will be using my API on.
Code:
<input type="hidden" name="key" value="<?=$user->data()->api_key;?>" />Now, via JS and AJAX I will be able to grab that API key from the hidden input and make calls to my API. Upon every request to my API, the key is checked against the database to ensure that the key exists. Assuming your key generation method is secure, there will be no way for anyone to make anonymous requests to the API - all calls to the API will be able to be traced to a username in the event of abuse.