❔ How do I prevent access to a web server (web api application) from certain clients?
I have a web api running on azure. I also have 2 clients, 1 android app and 1 ios app. The client uses json web tokens to communicate with the server. This is how the authorization is done. In theory the json web tokens are acting like api keys to retrieve and mutate data. But if the user get's their hand on the token, they can make requests to the server from other application/services. Example: they could have their own website that is making calls to the web server with the jwt. Is there a way, I can only allow incoming requests from a certain specific client? In this case our (mobil apps).
12 Replies
how do you know if it's the android or ios who contact you ?
We only have 2 apps, one android and one ios. Right now we are not checking if the incoming request is coming from ios or android
ok
you still could use a custom header in your request to make it more difficult to contact without doc but it's just a mitigation
Yeah it wouldn't be sufficient. Keep in mind that the apps will be publicly available to any user.
they still would have to decompile the app to reverse it 🤔
True that, but what if we have a web service. Like a website that is making calls. Then what? 😁 Boom the code is right there
yeah they still can use a proxy to check what's in the request
That too, damn. I forgot about that.
how do you hand this tokens?
@Henkypenky They provide their credentials and I generate a jwt. Through an http POST request.
good, you can probably record some unique identifier of that user, and use that in the requests to come
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.