'Django Rest Framework - prevent access to API?

I'm using Django Rest Framework and Token Authentication. Everything works great so far.

http://www.django-rest-framework.org/api-guide/authentication#tokenauthentication

But I'm realizing that anyone could create a third party app that hooks into my API. There'd be no way for me to detect it or stop it.

Am I missing something? I followed the directions, and I:

  • Send "username=blah&password=blah" to https://example.com/api/auth/, and receive a Token in return. Anyone could do this from a third party app.
  • That token is passed in the authentication header to retrieve data from the API. Anyone could do this if they have their user token.

Even if a user knows their own Token, I only want them to be able to access the API through the official native app.

1. How do I secure my API (using Token authentication) and make sure that only MY apps can connect to it?

2. Could I include some kind of secret key in a header? I'm using HTTPS in production, are headers as well as form data (username/password) interceptable/readable? (By the person running the app).

Still learning, thank you.



Solution 1:[1]

Perhaps I don't understand you question fully, but:

yes, everyone with a username and a password in your application can create tokens, if you added obtain_auth_token to your urlconfig (what you don't have to).

So you can:

  • only give your apps username and password
  • or deactivate the obtain_auth_token view and create the tokens in the admin or manually.

To answer your HTTPS question: HTTPS encryption is between the client and the server and lies between TCP and HTTP. So everyone in between (a man in the middle) can't see any headers, data, or even the path. When using SNI the hostname (Host header) is visible, but nothing else.

Hope this helps a little.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Denis Cornehl