I'm building a web extension that will be a wrapper for a public API. There aren't any paid tiers for the API currently, but I'm trying to secure the API key so it doesn't get stolen and used outside of my app. I'd like to avoid having my permissions denied.
I currently have 2 ideas that would allow me to do such a thing:
Have the API key in plaintext in the web extension and hope that people are nice enough to not steal it using CRX Viewer (unlikely).
Proxy all API requests through a web server and append the API key server side, returning the results from the API via my proxy to the client.
I'm a fan of Node.js and would like to pursue number 2. How do I go about securing my API in Node.js so that people can't just reroute their requests through my server to the API instead of directly to the API with a stolen key?
2 Answers 2
If you have to limit the usage of your key, you have to limit the usage of your proxy.
The typical way if to have users sign up (passing some captcha to prevent naive robots from mass-registering), and issuing a token per user. A server only serves a bearer of a valid token. You can throttle usage per token, or even revoke and ban leaked and abused tokens.
This does make onboarding harder, and adoption lower.
Of course, ideally every user could just obtain their own API key, paste it into a settings box of your extension, and rid you of the necessity to run a proxy server. If this is even feasible, I'd explore this way first.
If I don't misunderstand the question, one simple approach to this would be to pass your API key to the wrapper when you use it over a secure channel. As you note, by putting the key in the server, you haven't really solved anything you still need to secure the server. If you require the key to be specified upon usage of the web extension, you also make this web extension usable by others.
mysite.com/api/somethingrather thantheactualapi.com/api, using an environment variable would still expose my API key to queries outside of my application.