12

The REST API for Mongolab is cool. I can use that for analytics in my website directly using the following javascript, provided on Mongolab's support page. Only if I can understand how the authentication actually works. The API key mentioned in the URL could be easily copied by anyone who'd view the html source. The Mongolab control panel does not offer any registration for my website that'd assure me that the api key will be validated only if coming from my domain. How does this authentication work?

$.ajax( { url: "https://api.mongolab.com/api/1/databases/my-db/collections/my-coll?apiKey=myAPIKey",
          data: JSON.stringify( { "x" : 1 } ),
          type: "POST",
          contentType: "application/json" } );
brayne
  • 1,355
  • 2
  • 16
  • 27

3 Answers3

11

Excellent observation, and great question.

Currently, all API keys have read and write access to the databases associated with the user's account, and any agent possessing an API key can successfully issue any such request.

As you observe, this very basic pass key is not designed with any kind of fine-grained security in mind.

However, we're working on a batch of new REST API security features aimed at precisely that.

Contact us at support@mongolab.com if you'd be interested in discussing the details.

dampier
  • 4,996
  • 1
  • 21
  • 18
  • You seem to be working on this for a long time, whilst I appreciate that there are other ways developers can do this themselves, an estimated time scale would be useful. – Neil Jan 19 '13 at 07:35
  • I'd love to hear a bit more about this in terms of planning. Is there a link to the "batch of new REST API security features" so I can read how they will work and possibly weigh in with my 2cts? – iwein Jun 28 '13 at 09:00
  • any update on this ? Your jquery example doesn't really make sense if the API can't be used client side. – themihai Jan 22 '14 at 09:48
1

I'd like to use MongoLab service for my first AngularJs app with MongoDB, but MongoLab is not ready for production with a web app that wants access from the front end to the MongoDB.

It's very easy to get the API key in the browsers network traffic (see screenshot below, the apiKey is in plain text there) and then any one can have full access to the DB. So messing around with the MongoDB would be no problem.

I haven't found a workaround for MongoLab yet. At the moment, I think I will use another service like https://www.dreamfactory.com/

I haven't tried it in detail yet but it looks great for an AngularApp with MongoDB and I need to check how they implemented the security of the api. On the first look, it looks like it is working with session tokens to secure the requests to the database.

Screenshot network traffic MongoLab credentials

AWolf
  • 8,770
  • 5
  • 33
  • 39
-1

You have an API key for doing http request to your DB using their REST API. For example, if a user wants to log in I make a request with a GET method like this:

https://api.mongolab.com/api/1/databases/name_db/collections/users/put_your_params_like_username_and_pw?apiKey=xxxxxxxxx

And then you analyze the response to that request. It is not the most secure DB in the world but it is getting better.

If you want more info I talk about that in my blog: http://lolapriego.com/blog/?p=16

Lola Priego
  • 39
  • 3