Using REST to fetch data. What are the ways to prevent abuse of API calls?

Discussion in 'Requests' started by arinda, Dec 9, 2019.

    
  1. arinda

    arinda New Member


    I am returning some data from my db into Tally with a url to the resource location(with a userkey).
    I need to write something so that a stranger can't copy the .TCP file with a customer's userkey and fetch that data.

    What are my options here using Developer9. Is there any inbuilt feature. Purchasing a Tally license won't be a problem for us.
     


  2. teja varma

    teja varma Active Member


    there is no such feature in TCP it only limits to serial number.
    but you have a bunch of options.
    1) you can use GUID of the requested company by sending GUID of current company along with your request so that you can verify with your GUID in the database(stored at beginning) GUID's are unique impossible to match and if strangers want to get the data they need to have that same guid which is very hard(they need have that same company in their application).
    2)you can generate unique hash for each of your client and store that hash as invisible field in their company which they are using ,then
    when your are making request send that hash along with your request and verify it
    3)combination and 1 and 2 make it harder to misuse the TCP :)
     


  3. arinda

    arinda New Member


    >it only limits to serial number

    Do you mean linking a TCP to a license key? Is this possible to do? Can the TCP be tied to Tally accounts(based on license)

    (1) is not possible for us because we are allowing user to search by name as the first step and we can not take any risk with even one ID matching on another pc.
    (2) If someone copies the TCP file, won't they also get the same hash? How would we differentiate at the request.
     


  4. teja varma

    teja varma Active Member


    yes, that is what developer license for , you can compile your code to TCP(Binary) for particular serial number so it wont work for other serial numbers
    buy tally developer license then you can use that feature and also you will get developer support from tally solutions
     
    Last edited: Dec 11, 2019


  5. Amit Kamdar

    Amit Kamdar Administrator Staff Member


    There are two ways of compiling a TCP ...... you must use the "irreversible" mode.......
    compiling in this form, will secure your program. Not even Tally can de-compile it.
     


  6. arinda

    arinda New Member


    Thanks I am new to this. Is there a Tally marketplace for plugins where my company can sell our data.

    is there any video or article on how the serial number linking works?
     


  7. arinda

    arinda New Member


    Disregard my previous post. I found one resource on this. I don't get the manage serial button on my version as it is free.

    My new questions are:

    1. Are the serials added into the tcp everytime its compiled(after adding a new serial each time).

    2. Is there a chance an early customer will have an outdated list of serials where one blacklisted serial still exists and that blacklisted person is able to access by copying the old tcp?

    3. Can the serial number of the customer tally account (using my tcp) be fetched inside the tcp and sent along with my http request? That way I can match his serial against my online whitelist and allow access accordingly.
     


  8. balajimg

    balajimg Active Member


    Yes you can do that too

    but to add the new serial number, u have to amend your source code and re-compile

    so either way you have to re-compile in either case
     


  9. Amit Kamdar

    Amit Kamdar Administrator Staff Member


    Yes...can be done, but Sr # 1 is enough.
     


  10. Amit Kamdar

    Amit Kamdar Administrator Staff Member


    You seems to be more paranoid than the Russians during the height of the Cold war.

    Relax, the iireversible method and linking the serial number during the compilation is more than ample and sufficient to secure your program.
     


  11. arinda

    arinda New Member


    Hahaha true. I wanted clarity on the approach.

    How to fetch GUID or any system specific value inside the TCP. Thank you Sirji.
     


  12. arinda

    arinda New Member


    Does the serial number stay same if someone renews a license?
     


  13. balajimg

    balajimg Active Member


    yes it remains same
     


Share This Page