-1

I am trying to figure out how to setup a safe API? API Url: https://nomnomaapiurl:D/api/g_userinfo.php?apireqkey=akeythats same for everyone&r=userid&func=setmoney&money=231

This function updates the money that a user currently has. Currently i am making requests in unreal engine 4 using varest plugin to update a value in the database. But how to do this safe? So you cant simply enter this url in your browser and cheat some money?

GewoonJaap
  • 1
  • 1
  • 3
  • I would use a `PUT` request and send the information in the body first and not the url. I would then have my server return a 403 or some other error for requests that don't origin from the UE app. If you can't do this using IP, you can set some custom headers, but those are easy to spoof. Whatever is triggered before money is added should set some information to allow you to validate money being added before the adding occurs. – Kisaragi Jun 05 '18 at 16:37
  • Example: Before you actually add money, send a request to the server and store the amount you are about to add, you can also return a token that expires in x amount of time. Now, when you send the request to actually add, check that the token isn't expired and the amount you're adding is the amount you stored. Any requests that don't have an associated token will be denied. – Kisaragi Jun 05 '18 at 16:39
  • If the key is the same for everyone, then why bother even having a key? – Sammitch Jun 05 '18 at 18:19

1 Answers1

0

You pick a condition that you can enforce server-side and require that it be met before successfully fulfilling the request.

For instance, you can decide that only trusted (i.e. authorized) people can add money. Then you require a username and password to make sure that the person making the request is one of those people (i.e. authenticate them).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Since its a peer 2 peer server, i dont think that fits because when you host you can simply capture the data i think – GewoonJaap Jun 05 '18 at 16:37