Restrict the API


#1

We are working with a self-hosted deployment (a docker setup) with skygear-server and skygear-chat. The API_KEY is known to our web application as well as to the iOS and Android app and it is therefore possible that the key is known by an attacker. Therefore i have the following questions:

  • Is it possible to restrict some calls to the API (e.g. query request to fetch all users?)

  • Is it possible to change the API_KEY without restarting the server (e.g. if we would like to change the key every night?)

Thanks for you help.


#2

Hi Adrian,

The API_KEY are expected to be on client side and known by client side. API_KEY don’t have much permission until they get a user session by signup or login api, and after they do their access are limited to the user’s own data. So don’t worry about it.

Specifically to your questions.

No, most APIs are limited to access the user session’s data as mentioned. However you should consider secure the Database with Record-based and Field-based ACL. More details here: https://docs.skygear.io/guides/acl/acl-overview/js/

To secure user session, we have recently introduced locally encrypted session (Ref: https://github.com/SkygearIO/skygear-SDK-iOS/commit/3ef2b24e65a9b8564bf5f1e319a520130b58c2d5)

It is not necessary. However you should keep the MASTER_KEY strictly confidential as it override all ACL or user permission.


#3

Hi Ben, thanks for your answer. The concept with the API_KEY looks good and I will have a look at the ACL to check if we can use it in our app.