Secure the API Key¶
You are a web developer and want to create a new webpage/webtool that use the API Key.
As an example, we'll take the case of the banner tool. To create the banner, the tool need the full profile API Key to get all information and render them in an image that will be display to the player.
Bad Way¶
The easiest way to do that is to create an url like:
http://your.web.site/banner.php?key=FA30760A6ACE7550CA
Then the banner.php will take the API Key parameter key and use it to call the character API.
There's a problem with this url. The user will paste this url in the forum to display his banner. Anybody that get the html source of the forum will find the FA30760A6ACE7550CA Full profile key of the user and then use it to get all information of the character (not only the information shown on the banner).
The Problem¶
To fix that, the banner tool needs to encrypt the API key so nobody else than the banner tool can decrypt the key.
The PHP functions¶
We'll provide easy PHP functions to encrypt and decrypt an API key.
ryzom_encrypt($key, $passphrase='')
This function takes an API Key and an option passphrase and return the encrypted key (called ckey).
If you ommit the passphrase, the function will generate automatically passphrase based on some server internal information.
ryzom_decrypt($key, $passphrase='')
This function takes a ckey (encrypted API Key) and an option passphrase and return the decrypted API Key.
Good way¶
To take again the example of the banner. When the user enter the url:
We'll display a html form that require the API Key that will be send to the banner tool using a POST request.
The banner tool see that there's an API Key in the POST, generate the encrypted key (ckey) and redirect the user to the url:
http://atys.ryzom.com/api/banner.php?ckey=cHMGBVNVcAh1dgEHXCUkawI=
As you see, the url only contains the ckey that will return the image of the banner. If a user get the url, he only has the ckey and since he didn't know the @passphrase, he cannot decrypt the ckey to get the full profile API Key.