Wanze.8410 Posted September 13, 2017 Share Posted September 13, 2017 These days there is a wide variety of Apps with different purposes that require an API key. Some of them require name-specific API key and some dont. ## Problem Players share API keys for a variety of reasons these days but even, if they give it a specific name to use it for a specific app, other players can still use these API keys on Apps that dont require a specific name and they might reveal more information than intended. ## Solution Make naming API keys a requirement for creation in our account menu and use on different apps. Link to comment Share on other sites More sharing options...
Zok.4956 Posted September 13, 2017 Share Posted September 13, 2017 Every API-client can request API-data from a user with a valid API-key. So the user should be careful which app to trust for giving it his API-key. The given name within an API-key does not change that, because there is no client-identification or authorization of a specific client-app in the API. I think a better and (more) secure solution would be, if an api-client can generate a public/private "app-client-key" and then shows its users its own public-app-key. And then the user can "bind" his/her own api-key to a specific app-public-key within his A-net account administration. And if a user-api-key is bound to a specific app-client-key, then the API-server from A-Net only allows requests for this key, if the requests are validated with the correct app-client-key. So the authorization and authentication is only done on the API-server-side by A-net (the only API-side we should trust). Only then a "misbehaving" api-client can do nothing with this user-api-key. Link to comment Share on other sites More sharing options...
Lawton Campbell.8517 Posted September 13, 2017 Share Posted September 13, 2017 Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name. Also I don't have any freetime these days to rework the entire API key system :( Link to comment Share on other sites More sharing options...
Wanze.8410 Posted September 14, 2017 Author Share Posted September 14, 2017 > @"Lawton Campbell.8517" said: > Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name. > > Also I don't have any freetime these days to rework the entire API key system :( I guess you meant that you havent found a way **yet**. Cant you just make the API key name a required (variable) permission? Link to comment Share on other sites More sharing options...
Malediktus.9250 Posted September 14, 2017 Share Posted September 14, 2017 I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory Link to comment Share on other sites More sharing options...
Elfo Bianco.3786 Posted September 15, 2017 Share Posted September 15, 2017 > @Malediktus.9250 said: > I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory I totally agree with Malediktus.9250 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now