If you're only going to use the API via a browser hosted script, you can't use the api-key header in requests, and won't need an api key at all.
The api-key header works if you're doing server-side (or local) scripting, rather than accessing the api from a browser. Certainly, this does limit some functionality exposed by the api when you try to use it from a browser.
I would say yes, there are separate considerations regarding functionality and security, and when they conflict, security carries more weight. My understanding would be that you don't want to embed your api key in a script on a published page. If the browser is making the requests, and has to send the header, anyone viewing the page has plaintext access to the api key, and all the permissions it grants.
I'm not sure what Google Sheets is doing to disable this protection, but there are methods available if you search them out, you might want to think about what that means and whether that's dangerous or not.
Trying the /api/articles/me endpoint you linked to with an XMLHttpRequest, I definitely did get a request blocked message from the browser, pointing to the api-key not being a permitted header. This is intentional, the configuration is here and sets the allowed header list empty.
The same request made with curl from my desk completed successfully (as the api-key header is not stripped from the request in that case, and a json articles list is returned as I was able to authenticate successfully).
At the same time, what I guess I was pointing out somewhat poorly is there seems to be a gap in the documentation; what you said here about the security should be included with the API documentation to clarify the intent of the design.
That makes sense - a note at developers.forem.com/api#section/A... about CORS protections limiting the ability to use the authenticated APIs in a browser seems like it would avoid wasted effort.
I do see some note at the beginning of the api docs
All endpoints that don't require authentication are CORS enabled.
I'll open a PR to add a note in the api key section.
For further actions, you may consider blocking this person and/or reporting abuse
Hi Bob,
If you're only going to use the API via a browser hosted script, you can't use the
api-keyheader in requests, and won't need an api key at all.The api-key header works if you're doing server-side (or local) scripting, rather than accessing the api from a browser. Certainly, this does limit some functionality exposed by the api when you try to use it from a browser.
I would say yes, there are separate considerations regarding functionality and security, and when they conflict, security carries more weight. My understanding would be that you don't want to embed your api key in a script on a published page. If the browser is making the requests, and has to send the header, anyone viewing the page has plaintext access to the api key, and all the permissions it grants.
I'm not sure what Google Sheets is doing to disable this protection, but there are methods available if you search them out, you might want to think about what that means and whether that's dangerous or not.
Trying the
/api/articles/meendpoint you linked to with an XMLHttpRequest, I definitely did get a request blocked message from the browser, pointing to the api-key not being a permitted header. This is intentional, the configuration is here and sets the allowed header list empty.The same request made with
curlfrom my desk completed successfully (as the api-key header is not stripped from the request in that case, and a json articles list is returned as I was able to authenticate successfully).I don't disagree with anything said here.
At the same time, what I guess I was pointing out somewhat poorly is there seems to be a gap in the documentation; what you said here about the security should be included with the API documentation to clarify the intent of the design.
Thanks! Bob.
Hi Bob,
That makes sense - a note at developers.forem.com/api#section/A... about CORS protections limiting the ability to use the authenticated APIs in a browser seems like it would avoid wasted effort.
I do see some note at the beginning of the api docs
I'll open a PR to add a note in the api key section.