• 0
Votes
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /var/www/html/cnasolution/site/application/views/question.php
Line: 191
Function: _error_handler

File: /var/www/html/cnasolution/site/application/controllers/Questions.php
Line: 419
Function: view

File: /var/www/html/cnasolution/site/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

How do I secure an api key correctly?

I'm currently working on an API that is going to be used in an app and a website. For some actions, you have to be logged in and for others not. Users are also split up into different account types like e.g. users and support. For the API I've used the slim framework.

So my approach is the following:

  • The API key with its type is stored in the database and its bond to an account
  • I assign group permissions to each command, which restricts e.g. not logged in users

The following is an example of a request:

https://myapiwebsite.com/index.php/api/v1/getSupportTickets?apikey=Test

In this example, not logged in users and normal users are restricted, but support users not. As this is already working, I have to ask myself if this is even secure, because someone could e.g. spoof the support users' API key and disguises himself as support staff. How can I secure my API, or is there another way to do it?

Download script demo [LINK]
Download script demo [LINK 2] Download script demo [LINK 2]