Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Mongolab REST API authenticate

Tags:

rest

authentication

mongodb

api

mlab

The REST API for Mongolab is cool. I can use that for analytics in my website directly using the following javascript, provided on Mongolab's support page. Only if I can understand how the authentication actually works. The API key mentioned in the URL could be easily copied by anyone who'd view the html source. The Mongolab control panel does not offer any registration for my website that'd assure me that the api key will be validated only if coming from my domain. How does this authentication work?

$.ajax( { url: "https://api.mongolab.com/api/1/databases/my-db/collections/my-coll?apiKey=myAPIKey",
          data: JSON.stringify( { "x" : 1 } ),
          type: "POST",
          contentType: "application/json" } );
like image 582
brayne Avatar asked Sep 05 '12 07:09

brayne

People also ask

What kind of authentication is supported in MongoDB?

MongoDB supports x. 509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters. x. 509 certificate authentication requires a secure TLS/SSL connection.

2 Answers

Excellent observation, and great question.

Currently, all API keys have read and write access to the databases associated with the user's account, and any agent possessing an API key can successfully issue any such request.

As you observe, this very basic pass key is not designed with any kind of fine-grained security in mind.

However, we're working on a batch of new REST API security features aimed at precisely that.

Contact us at [email protected] if you'd be interested in discussing the details.

like image 106
dampier Avatar answered Sep 22 '22 14:09

dampier

I'd like to use MongoLab service for my first AngularJs app with MongoDB, but MongoLab is not ready for production with a web app that wants access from the front end to the MongoDB.

It's very easy to get the API key in the browsers network traffic (see screenshot below, the apiKey is in plain text there) and then any one can have full access to the DB. So messing around with the MongoDB would be no problem.

I haven't found a workaround for MongoLab yet. At the moment, I think I will use another service like https://www.dreamfactory.com/

I haven't tried it in detail yet but it looks great for an AngularApp with MongoDB and I need to check how they implemented the security of the api. On the first look, it looks like it is working with session tokens to secure the requests to the database.

Screenshot network traffic MongoLab credentials

like image 34
AWolf Avatar answered Sep 21 '22 14:09

AWolf
Sign in to Comment

Related questions

Is there an OpenGrok API? [closed]
How to make sure Rails API is secured from CSRF?
Twitter API - upload an image
I/flutter (30720): SocketException: OS Error: Connection timed out, errno = 110, address = 192.19.170.13, port = 47763
Java API to convert JPEG to TIFF
Is there a Google Insights API? [closed]
USB API for Windows [closed]
Designing an API with designated client keys
Can anyone provide a good explanation of CURIEs and how to use them?
The client with object id does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope
extend existing API with custom endpoints
What is a "pluggable" API?
How to get wikipedia page in multi languages?
Programmatically posting Facebook comments
API Error Code: 191
what does WINAPI stand for
{grape} authorization
Wikipedia API: search for famous people
External API calls from the frontend or backend?
Fix bugs in library code, or abandom them?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!