The
problem:
We've
developed an API which allows users to search and upload Images.
Any application that wants to query it uses an API key which allows it to perform different actions according to its permissions.
Any application that wants to query it uses an API key which allows it to perform different actions according to its permissions.
Recently we started to expose some of the API's abilities
in public websites.
For example, see the PicScout Search Tool on www.picscout.com (and press the "Launch Tool" button).
Here’s the issue: Exposing the key to unknown users can make us vulnerable to spam and abuse.
For example, see the PicScout Search Tool on www.picscout.com (and press the "Launch Tool" button).
Here’s the issue: Exposing the key to unknown users can make us vulnerable to spam and abuse.
The
solution:
In
order to overcome this problem we decided to use Google reCaptcha.
Using this tool means that only real people can pass
through the system, as opposed to malicious bots.
Reaching this solution included client and server side adaptations. On the client side, we
added support to the reCaptcha
widget. This widget is shown to the users before their first action in the
site and afterwards only if their token has expired. On the server side, we
added a second layer of authentication. This authentication is enforced only on
API keys that are public, meaning those used on public sites. When making a request, the users must send an API key as
well as a token supplied to them by Google reCaptcha. The server verifies this token combined with some secret agreed between the server and Google. If this information is successfully verified, the resource is returned to the user. Otherwise, the request
fails.
That's about it on how we use reCAPTCHA at PicScout.
