rest – APIs Security for publicly exposed APis for Website/App

We have a website using PWA Client calls / Mobile APP, all using the same APIs.
We have APIs Exposed to Public. Currently, our APIs are not secure meaning that anyone can check APIs signature via developer tools/proxy tools and hit the API.

We want our APIs to be hit by verified clients.
Verified clients do not mean logged in clients. Our website can be used by non-logged in users as well. Clients here mean users accessing the website via browsers/app.

So for that, we are planning that we will allow those APIs only which have the registered/enabled token and that will be sent via header.

Now to generate the token:

  1. Device —- sends Token(B) Request—-> Server
  2. Server generates Token(B) and returns it and stores it in Redis
  3. Device —- sends Token(B) to enable request—–> Server
  4. The server enables it
  5. The device sends Token(B) in all subsequent requests
  6. The server checks whether the token exists in Redis in the enabled state or not

Since these register/enable token APIs are also exposed publicly, to ensure no one is able to hack this process:

  • While enabling the token, we also send the Encrypted token(A) alone with the actual token(B).
  • At the server, we decrypt the token(A) and matches it with the normal Token(B).

Encryption is done using the private key known to client/Server only.

Is this the right approach and this is vulnerable? The only issue is seen is that register/enable token APIs are exposed publically. But we have also added the security to that, is that good enough?

List of blockchain explorer APIs?

I’m gathering a list of Bitcoin / Blockchain APIs. I mean web (REST) APIs that allow you to do basic blockchain queries through http(s) API calls, such as: getting the balance on an address, getting a list of transactions from or to an address, getting the details (inputs and outputs) for a transaction, et cetera.

I’m familiar with blocktrail.com, blockcypher.com, blockchain.info, and blockr.io, but I remember having seen others in the past. Any more?

web api – API Design: Errors passed between APIs

I work as a developer on a few different APIs that make calls to each other.
Let’s take two and call them API-USER and API-BUSINESS.

A user application makes calls to API-USER, which in turn makes calls to API-BUSINESS

Right now, when API-BUSINESS returns an error the API-USER receives it as a generic error and passes it through to the user.

The concern is that this approach could lead to issues when breaking changes are introduced to the errors in API-BUSINESS.

Are there some API patterns or practices that can lead to a more durable approach to passing errors between APIs?

Is there a better vocabulary to use when talking about this type of error passing?

api design – Are there names for APIs that don’t relate to user data versus APIs that do?

Does anyone know of terms for APIs protected by API keys that don’t relate to user data (e.g. weather, voice to text) versus APIs that are protected by OAuth (or similar) and relate to user data (e.g. GitHub, Slack)?

I realized these seem to be fundamentally different kinds of APIs with different needs in terms of authorization and rate limiting, but I haven’t been able to find any writings that recognize this, provide more insight into their differences, or even name them. Any thoughts?

Getting 403 HTTP error while accessing Google translate APIs

That might be due to a change in policy on Googles side:

Note: The Cloud Translation API is migrating to new default quotas, as described in the following table. Until the migration is complete, your default quotas might be different. To view your Cloud Translation API quotas, see the Google Cloud Console.

It could also be caused by using a service account:

Per user quotas limit the number of requests that an end user, who is using a client application, can make per minute. When you use a service account, the service account’s identity is the user for quota purposes. For requests that use an API key, Cloud Translation API uses the client’s IP address to enforce this limit.

In any way you should check the Google Translate Docs for Quotas and contact Google support if those limitations don’t apply to you.

architecture – Product subscription checks in a Microservice API’s

We’re in the middle of architecture a SaaS web app which will operate on a subscription basis. Each user is associated with a merchant by means of a claim on their identity and the subscription exists at the merchant level.

We have a number of separate microservice API’s and we’d like to prevent anyone without a valid subscription from successfully calling these API’s. So far we’ve come up with a couple of potential options:

  1. Add a policy to the API gateway which fronts all of the API’s. The policy would check for an active subscription by calling an endpoint on our subscription API. If no valid subscription is found a 402 payment required response would be returned for our front end to handle
  2. Replicate active subscriptions into each Microservice by messaging. Each API would hold a complete list of all active subscriptions and would perform a check before executing the requested API method. Again a 402 would be returned where there is no valid subscription.

Option 1 seems the simpler but has a single point of failure, if the subscription API goes down nothing will work. Option 2 seems more robust but requires more effort and could result in data becoming out of sync.

Are there any thoughts on whether these are suitable ways to achieve our goal and if so which one might be best? We’re very much open to other ideas as well if anyone has any.

The solution will be written in .NET core and will be deployed to Azure so we’re open to PaaS solutions if there are any.

Many thanks in advance.

rest – Is this an anti-pattern to have a service have both APIs and listening to events?

I am planning to make a service which will have simple REST APIs and will have a database in backend. I also wanted to add a logic to listen to notifications emitted by other service and there is some business logic which will update the row in the database.

For updating the database row from Notifications, I can think of 2 approaches:

  1. Should I create a API which is kind of internal to just used by service and this listener process calls this API instead of directly updating the database?

  2. Listener process directly updates the service.

I can see some pros and cons of each approach. In Approach 1, we are adding a REST API unnecessarily which is never used by clients.

In Approach 2, we are giving one backside way to reach the database instead of all the requests coming from REST API.

Can someone help me here to tell if one of them is anti-pattern and which one is better to use?

opengl – How do I render to a resizable window from a large fixed size back buffer in current graphics APIs?

I have some code that uses DirectX 9 with Windows native window management, that I would like to port to newer graphics APIs, but this code has a fairly unusual approach to window resizing, and it doesn’t seem obvious how to achieve the same things with newer graphics APIs.

The code I want to port allocates a back buffer large enough for a full screen window which remains the same size across window maximised, minimised, and resize events. When the window is smaller than the back buffer, only part of the back buffer is shown.

In order to render from this large back buffer, in DirectX 9, I’m specifying regions with the pSourceRect and pDestRect in IDirect3DDevice9::Present and using D3DSWAPEFFECT_COPY.

The advantages of this, as I see it, are as follows:

  • There’s no need to free and reallocate any resources in response to window size changes.
  • Not reallocating resources reduces code complexity significantly.
  • Not reallocating resources makes the application more responsive in the case of windows size changes.
  • The rendered scene continues to be drawn, smoothly, as the application window is being resized, without any need for potentially tricky and complicated attempts to update rendering settings in response to resize events.

(As the code is written, the application is essentially paused during window resize. The user nevertheless gets a smoothly updated view of the relevant part of the current static rendered scene during window resize.)

How do I do the same thing with newer graphics APIs?

In newer DirectX versions it seems like the ‘BitBlt model’ described on this page roughly corresponds to D3DSWAPEFFECT_COPY in DirectX 9:
https://docs.microsoft.com/en-us/windows/win32/direct3ddxgi/dxgi-flip-model

However, when I try setting the swap effect to DXGI_SWAP_EFFECT_DISCARD, in DirectX 12, I get the following error:
IDXGIFactory::CreateSwapChain: This D3D API version requires the swap effect to be one of DXGI_SWAP_EFFECT_FLIP_*.

So I guess the BitBlit model is no longer supported. 🙁

I guess a logical alternative would then be to do something equivalent ‘manually’, but it seems like doing something like this would lose one of the advantages of the trick, as it works out in DirectX 9, which is the smooth update during resizing without needing to intercept resize events and update stuff in response to these, in the application code.

What I’d like to see, ideally, are links to working code that does something equivalent to what I’m doing in DirectX 9, in DirectX 12, OpenGL, or Vulkan.

If it helps to see the code in action, and the resulting resize behaviour, you can see this in the PathEngine graphical testbed, which can be downloaded here: https://pathengine.com/downloads
(And I could also look at stripping out and posting source code for a minimal example application that demonstrates this behaviour, if this would help.)

oauth2 – How to integrate multiple services via API’s into a single dashboard on a per-user basis with SSO?

so my project is that I’d like to pull data from a bunch of different services/API’s and show them in a single dashboard. SSO is a requirement so I want to make sure the user doesn’t have to put in their password over and over.

The system already has SAML2.0 set up with ADFS which is configured as the identity provider for all the services.

The issue is that when a user uses SAML to log into a service, they leave my dashboard app and don’t get any of the user permissions for that service. For example, say the user is trying to access Gitlab and they only have access to a certain number of projects, unless they go into gitlab and generate a user API key and copy/paste it into my dashboard app, I can’t get that user’s permissions when making API calls.

From my research, it sounds like using OAuth2.0 is the solution to this; set up ADFS to generate tokens for a user (as the Authorization server) and then integrate it with applications that use OAuth2.0 (which would be the resource servers) and my dashboard app would be basically a client hanging on to the tokens. This would enable me to make API calls with scoped permissions.

Does this sound like a good idea? Instinctually, I feel that this has got to be a common problem that’s been solved many times before but I am not formulating the Google/Stackoverflow searches for the solution.