In the application on JS it is necessary to store some data in the database. For this, a simplest REST server was written using Yii2. Fortunately, there it is done to the horror simply.

But the question arose - what needs to be done, what technologies to apply, so that the server works only with my application? Those. so that no one could "from the side" perform any operation.

Closed due to the fact that it is necessary to reformulate the question so that it was possible to give an objectively correct answer by the participants fori1ton , aleksandr barakin , pavel , cheops , HamSter Oct 27 '16 at 8:31

The question gives rise to endless debates and discussions based not on knowledge, but on opinions. To get an answer, rephrase your question so that it can be given an unambiguously correct answer, or delete the question altogether. If the question can be reformulated according to the rules set out in the certificate , edit it .

  • As an option to tie the Basic Authorization to api, when js tries to make a request to api, a window will pop up asking you to enter your login and password. - Vampir
  • @Vampir, I don’t know, I haven’t seen in any similar service of this approach. - Ilya Bizunov
  • You can use the login through social networks / Google. You can make your authorization and store logins and passwords there in the database. Depends on needs for speed of creation and simplicity of the system. If the application should connect to api itself every day, then the token is better. - Vampir
  • @Vampir, I have a login through social networks, but I do not understand how he can help. It works (now) completely on the client. Even if you implement it through the server, from the server to the client you will still need to transfer the user id and access_token , necessary for working with the social API. network. Already this will be enough to perform any actions using the server REST-API. - Ilya Bizunov
  • one
    There must be some verification on the server that a place can be added to this user, for example, because the server knows (from some other source, not from the user himself) that the place was paid. Protection against abuse of a legitimate user is possible only at the level of the application business logic. Protection against interception of someone else's data - https + authorization. - Alexey Ten

1 answer 1

You are clearly in the wrong direction fighting. If you are making a payment, the request should not come from the client, but from the service that processes the payment. And usually there is already implemented an algorithm for checking a packet through a signature, which can be calculated only by knowing the secret key.

For example, PayPal enter image description here

Or through the admin panel if everything is in manual mode.

As for Yii2 / REST and BasicAuth, this is normal practice. Documentation can be read here http://www.yiiframework.com/doc-2.0/guide-rest-authentication.html