API changes: More security
April 3rd, 2008 by ShashankWe have changed our API in an important way in order to prevent Cross Site Request Forgery attacks. APIs which use implicit authentication - e.g., HTTP Basic authentication or cookies - are vulnerable to such attacks.
What’s the change?
- We have added an explicit ‘login’ command which returns a “token” for the session if the login is successful.
- Subsequent commands in the session must all include this token in order to be processed.
- The token expires after a “reasonable” time-out — on the order of 10 minutes or so.
I hope it will not be too much of a hassle for you to adapt your scripts. Security is paramount when it comes to handling finances.
April 4th, 2008 at 12:46 am
Nice site! It looks like it will be very useful for me.
In the API documentation you sometimes write http:// instead of https:// which can be a security risk for those copying and pasting.
e.g.
> Login using email address and password
> http://www.buxfer.com/api/login.xml?userid=john@doe.com&password=dohdoh
Also, I am having trouble logging in with the login command. I have tried with an explicit @ and with the quoted %40. Am I missing something? I get
> ERROR: The userid / password combination is invalid
Even though I am sure they are correct.
Thanks,
Scott
April 4th, 2008 at 11:34 am
Scott: I checked and it seems like our API is operating correctly. Perhaps you did not url-escape special characters in your password?
I have also fixed the http/https inconsistencies. Thanks a lot for pointing that out.