Linked Questions

Popular Questions

How to differentiate between an internal & external REST API request?

Asked by At

On the server, is there any way to differentiate between an internal & external REST API request?

Why?

The reason I want to distinguish the two origins, is because I may, based on the advice, given by respondents, want to return a different data set, depending on who is trying to make the request.

Summary

My definition of internal maybe incorrect. In this instance, 'internal' means a request made from an XHTTP request from the same domain as the page processing the request.

An external call might be a user creating a Curl request from another domain.

For instance:

http.service.ts

INTERNAL ANGULAR 6 REQUEST


fetchLogin(formData: any): Observable<any> {
    let req = null;
    let headers = null;
    headers = {
      reportProgress: false,
      headers: new HttpHeaders({
        'email': formData['email'],
        'password': formData['password']
      })
    };
    req = new HttpRequest('POST', this.restApiUrl + this.restApiUrlEndpoint + '/oauth/', '', headers);
    return this.http.request(req)
    .map( (data) => {
      return 'body' in data ? data['body'] : null;
    })
    .pipe(
      catchError(this.handleError)
    );
  }

template.cfm

EXTERNAL COLDFUSION REQUEST


<cfset httpUrl = request.restApiUrl & request.restApiUrlEndpoint & "/oauth/">

<cfhttp url="#httpUrl#" method="post" result="result" timeout="30">
  <cfhttpparam type="header" name="email" value="[email protected]" />
  <cfhttpparam type="header" name="password" value="foo" />
</cfhttp>

Please understand that I have simplified these 2 code snippets to keep things clear.

When the request hits the server, how can I tell which request has come via XHTTP and which has been sent via CFHTTP [Curl]?

I am using Taffy.io REST API framework, so here is a simplified method, inside a 'resources' CFC, that I might use to process the request:

resources/oauthMember.cfc

<cfcomponent extends="taffy.core.resource" taffy_uri="/oauth">

<cffunction name="post">
  <cfset var local = StructNew()>
  <cfset local.data['email'] = "">
  <cfset local.data['password'] = "">
  <cfset local.requestBody = getHttpRequestData().headers>
  <cftry>
    <cfset local.data['email'] = Trim(local.requestBody['email'])>
    <cfset local.data['password'] = Trim(local.requestBody['password'])>
    <cfcatch>
    </cfcatch>
  </cftry>
  ...processing code
  <cfreturn representationOf(local.data) />
</cffunction>

</cfcomponent>

Adding an extra header to one of the calls is not viable, because this can easily be spoofed.

Any ideas?

Environment

Windows 2008R2 Lucee 4.5 IIS7+

Related Questions