XF 2.2 What protections does the XF REST API have against unauthorized attacks?

Pawn Studios

Active member
I would love to make use of the XF REST API, however, with a lack of option to grant only certain permissions to a user, and no way of restricting access to a whitelist of IP addresses, I feel that enabling the API with a super user key (which is required for user login testing) is akin to opening a backdoor to my forum installation.

What protection does the API authentication have against someone attempting to gain unauthorized access to it?

[XF REST API security]
 
Last edited:
Solution
So there are a few things here beyond the main question you're asking...

with a lack of option to grant only certain permissions to a user
You can (and generally should) limit the scopes granted to key to the specific ones you want. If you're just wanting to check a username/password combination, the auth scope should be all that you need.

and no way of restricting access to a whitelist of IP addresses
True, though if this is significant to you, this can be implemented via your web server (or a reverse proxy if you're using that). All API requests have a /api/ prefix so they can be...

Mike

XenForo developer
Staff member
So there are a few things here beyond the main question you're asking...

with a lack of option to grant only certain permissions to a user
You can (and generally should) limit the scopes granted to key to the specific ones you want. If you're just wanting to check a username/password combination, the auth scope should be all that you need.

and no way of restricting access to a whitelist of IP addresses
True, though if this is significant to you, this can be implemented via your web server (or a reverse proxy if you're using that). All API requests have a /api/ prefix so they can be detected.

What protection does the API authentication have against someone attempting to brute force the super user API key if I were to create one?
So there isn't an explicit brute force filtering, though the brute forcing is likely to be significantly more difficult than you might be thinking. API keys are randomly generated 32 character strings. This is significantly more "entropy" than any traditionally-generated password and results in something around 10^57 potential combinations. This is well above the point of a practical brute force attempt, even disregarding the additional difficulty of attempting to brute force a value on a remote server.

They are also looked up in a way to be resistant to timing attacks (so you can't work out 1 character at a time).

It's worth mentioning that even beyond API keys, the entire concept of user "remember me" keys use essentially the same concept. These have existed in XF singe the beginning (though the approach was changed for 2.0 for different reasons).
 
Solution
Top