I am currently using the Invision forums to host my site,
We are using their API keys to pull users data & log them in via our launcher.
It's been brought to my attention that all the information returned to our launcher is in plan text (JSON). This makes it very easy for someone to redirect our traffic to the launcher and plug in a fake json file.
In short cracking the launcher/login system.
I need to know if there is any method of validation I can call to ensure that the information IS being sent from my host & not another Man in the Middle.
The site is HTTPS.
Thanks.
Okay, so a little bit of backround here.
1, We are using a cloud hosted community, so our access is a tad more limited than a self hosted website etc.
2, We WERE sending the api key as a paramater with c#, here's a sample of how i would retrieve a users active purchases, (i would enable pageview tabs on results, which have access to download links, updaters and launch methds of programs etc) :
The result is always a json string, and I have no ability to change this.
3, Another way of us being able to access this information, is by getting an oAuth token, and sending that instead of an api key. This I feel is a touch safer, as we can revoke any authorization token at any time, along with change the secret on a whim, And the token would expire (change) every hour or so?
But we feel that might not be quite "enough", and would like to take it one step further by "authenticating" that the response DID in fact come from the server, or server IP address instead of some middlemans server.
I have been looking into server cert validation, but all i can seem to find is ways to disable, or how to send them, nothing implicitly with examples on validation (and lets be honest, we're always still learning, this was an oopsie on our part), a simple nudge in the appropriate direction would be of immense help.