DEV Community

Discussion on: How to prevent misuse of a public REST API endpoint.

Collapse
 
rhymes profile image
rhymes

A few things:

  • monitoring, you need to know if and when people are abusing the API
  • if you don't require authentication, where does JWT fit in all of this?
  • look into rate limiting, you can rate limit based on the IP for example
Collapse
 
inambe profile image
Inam Ul Haq • Edited

Thanks for some good suggestions.

I'm using JWT token for updating, deleting, getting record. I also have a endpoint for login where I get that JWT token.

I can't use JWT for inserting, because thats where a user is being created for login.

Collapse
 
whoisryosuke profile image
Ryosuke

You should create a separate, non-authenticated endpoint for login -- and a separate endpoint for inserting other types of data.

It might seem like you're repeating code or something, but it's just a necessity for security.

Thread Thread
 
inambe profile image
Inam Ul Haq

Thanks for a great solution.

But still any hacker can misuse that login endpoint by inserting thousands of users in a minute, that is my real concern.

Thread Thread
 
whoisryosuke profile image
Ryosuke

There are several others ways to prevent that.

  • Rate limits on API keys.
  • Rate limits on user registration
  • IP logging of users to DB + checking on registration for previous IPs
  • Re-captcha on the form
  • A honeypot (for physical forms) or CSRF (for both) to prevent brute force registration/authentication
  • Requiring email validation before account use

As long as any API is public there is a chance that it will be abused. It's all about reducing that chance.

The other option tends to be restricting registration -- which can hinder an apps adoption rate. Sometimes it's better to let spammers sneak in if it means real users don't get locked out.