How to post form to my server and then to API, instead of posting directly(for security reasons)?

Question

There is an integration with an API for conducting live online classes. The API wanted us to post a form to their site along with a parameter called customer_token as an input field. It is used for authentication by the API and every customer site is assigned one token. The customer token is actually some hashed value of the domain name or IP or something.

Now, after the integration, they want me to hide the customer_token input field somehow from being accessible through mozilla's firebug and similar tools, because anybody can see the token and send a similar form to the API and access the API's service. Needless to say, the API is not developed by some experts. They did not realize the issue before and it is not a widely used API.

I asked a question previously on http://stackoverflow.com/questions/3510011/best-way-to-hide-a-form-input-field-from-being-accessed-using-firebug and realised that it is not possible to hide any information through a get/post method. Someone asked me about whether the request is directly being sent to the api, or first to my server or something?

Please explain how does it fix the security issue and how do I implement it?

Thanks, Sandeepan

Answer 1

You could POST to your server, which in a script, POSTs all the parameters to the API form action, but with the customer_token added in your script, server-side, which clients can't see.

So, you have your original form:

<form action="http://someapi.com/blah" method="POST">
    <input type="hidden" name="customer_token" value="foo">
    <input type="text" name="whatever">
    ...
</form>

And instead use:

<form action="myapiblah.php" method="POST">
    <input type="text" name="whatever">
    ...
</form>

Note that there's no customer_token in the second example. Then, in myapiblah.php - change the name obviously, especially depending on the server-side language you're using. I might be able to provide more specific examples if you tell me what you use - use something like this psuedo-code:

parameters = $_POST;
parameters['customer_token'] = 'foo';
send_http_request('POST', 'http://someapi.com/blah', parameters);

You'll need to look up the details of what to use for send_http_request.

In PHP, you'd do something like this, if you can use the pecl_http stuff in PECL:

$params = $_POST;
$params['customer_token'] = 'foo';

$req = new HttpRequest('http://someapi.com/blah', HttpRequest::METH_POST);
$req->addQueryData($params);
try {
    $r->send();
    if ($r->getResponseCode() == 200) {
        // success!
    }
    else {
        // got to the API, the API returned perhaps a RESTful response code like 404
    }
}
catch (HttpException $ex) {
    // couldn't get to the API (probably)
}

Answer 2

the you asked you is right! does the form goes first to the webserver? this means is the site posted to a normal url for which apache or onother webserver takes the request or does the form goes to a specific services (like a webserver, which is also only a services which listens on a port - port 80 for webservers, mostly). if you hide a field in a webform, it is useless. if you take a look at the source code of the site you still can see the hidden field.!!