5

What is the recommended way to restrict my django rest framework APIs to be available to my mobile and web apps only ? I'm using django-rest-auth to authenticate my users. There are some APIs that can be accessed anonymously. But I need to make sure that all the APIs are available only through my apps (mobile and web).

Any help/tutorials are highly appreciated. Thank you

user4848830
  • 779
  • 12
  • 22

2 Answers2

0

You need to setup the authorization scheme at the configuration level to restrict it to your mobile / web app only and explicitly set the public ones at the class level. See http://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy about implementation details.

Linovia
  • 19,812
  • 4
  • 47
  • 48
  • Thank for your response. However, I don't understand how to detect if the request is coming from my app. I'm able to authenticate users using django-rest-auth but then any 3rd party app can use my APIs to register a user. I want to restrict the access of my APIs (accessing the resources, registration etc) to my mobile, web apps. I tried using django-oauth-toolkit but it requires a username while asking for token. I can associated a dummy user with annonoymous user accessing my APIs on my mobile/web app but is this the only way out ? – user4848830 Dec 01 '15 at 08:58
  • Web app will look just like if it was your user or you can consider is if it was so you probably want to explain more about why you want to do that. – Linovia Dec 01 '15 at 13:32
  • Sorry if I was not clear. All I want to do is make sure only my mobile app and web app can access my REST APIs. Even though users on my apps can be anonymous (they don't have to register). I don't want any 3rd party apps to use my APIs to access my data. – user4848830 Dec 01 '15 at 16:23
  • As long as you're using a web application, the users will be able to see the code and access your API, no matter how. Possibly not every of them but some will. – Linovia Dec 01 '15 at 16:51
0

Because all requests can be sniffed you can't use any Secret-key or check for HTTP origin (it can be faked easily).

For mobile you can try using secret-key generator with some special algorithm. Fro example MD5(current_time + your_secret_phrase). Then you will be able to verify that code is acceptable. It will make using your API almost impossible for sniffers.

But for Web you can't do much. All headers can be faked. The only way - user authentication.

You can, of course, use Secret-key and change it every month/day/hour. But is it worth it?

DevilPinky
  • 558
  • 3
  • 13