Search code examples
phpsecuritycurlspoofingkey-pair

How to make my PHP client be the only one that can get data from my PHP server

Hello I have this simple code:

Client

<?php

function get_url($request_url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $request_url);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

$request_url = 'http://localhost:8080/vb/dashboard/Marketing_dashboard/vb_server.php?function=somefunction';
$response = get_url($request_url);

print_r($response);

Server

if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
{
    echo somefunction();
}
function somefunction()
{
    return "this is the output of the server";
}

Now I need to add security so that only my client is able to get the data. I thought of a pair keys so I send some hash encripted with the clients private key and the decode it with the public key on the server. But I dont lnow how to implement this. I don't know how to get the keys and I don't know how to do the code.

I'm open to options. How can I make my client the only one able to get the data from that server?

Solution

  • For starters, make the client connect to an https endpoint so it's encrypted. Next, you could pass in a token via an HTTP header and check it on the client side.

    The Rackspace APIs use the following header:

    X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

    Then you can grab the headers, validate the token is correct. If so, execute the function. If not, return a blank page or something else.

    You'll set your header like this:

    curl_setopt($c, CURLOPT_HTTPHEADER, array('X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf'));

    Check it like:

    $headers = getallheaders();
if($headers['X-Auth-Token'] == 'asdflkjasdflkjasdflkjsadflkjasdf')
{
  if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
  {
      echo somefunction();
  }
}
else
{
  echo "BAD TOKEN!";
}

function somefunction()
{
    return "this is the output of the server";
}

    Tested output:

    root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4   libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: stuff

BAD TOKEN!


root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

DO STUFF