I’m creating an API for my site using wix-http-functions . The function will change the content of the Collection that stores all of the site’s data - rewriting it completely (removing everything in it, and inserting new data instead).
How do I make sure that the site’s data isn’t compromised - i.e. that only those authorised to use it are able to use it?
1 Like
You should use backend (server-side) functions for any code that uses private information (API keys, passwords, etc).
For information regarding server-side code, see the article Calling Server-side Code from the Front-end with Web Modules .
Hi Yisrael. I think you didn’t understand my question (and actually this is the second time you answered one of my questions relating to wix-http-functions with an answer that completely disregards the fact that it’s about this feature). I was asking about having others call APIs from on my website, not the other way around.
Sorry if I wasn’t clear. I was referring to others calling APIs from your website. The wix-http-functions API operates in the backend thus providing required security.
See the article Exposing a Site API with HTTP Functions .
But anyone with the APIs URL can call it - thus, making the site very vulnerable. How do I make sure that this won’t happen?
Like other web-based services (Google, Yahoo, etc), you will need to implement a mechanism for passwords or keys to ensure authorized access. These will be handled in the wix-http-functions that you create in the backend code so they won’t be exposed.
Could you offer some example or refer me to a tutorial on how to do that?
Hi Tal,
We do not have a tutorial for this specific request.
One way of achieving this is by passing a key and checking it in your http function.
For example, the request should look similar to this:
https://domain.com/_functions/list/addThis/andThis?k= A3cEf2ADf01
You get this info by httpRequest query
See here
If the key is not present or incorrect, the http function should return a 403 code (forbidden)
How this key is generated is up to you.
You can either manually type a random text string and simply add it to your backend code, or develop a key generator that generates new keys every X minutes/hours/days. The latter will probably take longer to develop.
So basically, hard coding the key into the HTTP request (does it matter if it’s passed as a parameter or as part of the body or the headers?), and the hard coding the verification into the HTTP function or a backend function called by the HTTP function (let’s say checking a collection to see if the key is there or something like that?)
Hi Tal,
It does not matter how it is added to the URL. It can be either a query ( ?k=something ) or as a part of the path ( /something/somethingelse/ )
Adding the secret key to a collection is a great idea for easy management.
Good luck
Can it also be part of the request body\headers or does it have to be added to the URL?
Hi,
Technically it is possible to add it in either the body, header or in any part of the URL.
Note that a GET request does not contain a body therefore it will probably make more sense to avoid adding the key it in the body part of the request, for the sake of uniformity.
Gotcha. Thanks.