We have a website using PWA Client calls / Mobile APP, all using the same APIs. We have APIs Exposed to Public. Currently, our APIs are not secure meaning that anyone can check APIs signature via developer tools/proxy tools and hit the API.
We want our APIs to be hit by verified clients. Verified clients do not mean logged in clients. Our website can be used by non-logged in users as well. Clients here mean users accessing the website via browsers/app.
So for that, we are planning that we will allow those APIs only which have the registered/enabled token and that will be sent via header.
Now to generate the token:
- Device —- sends Token(B) Request—-> Server
- Server generates Token(B) and returns it and stores it in Redis
- Device —- sends Token(B) to enable request—–> Server
- The server enables it
- The device sends Token(B) in all subsequent requests
- The server checks whether the token exists in Redis in the enabled state or not
Since these register/enable token APIs are also exposed publicly, to ensure no one is able to hack this process:
- While enabling the token, we also send the Encrypted token(A) alone with the actual token(B).
- At the server, we decrypt the token(A) and matches it with the normal Token(B).
Encryption is done using the private key known to client/Server only.
Is this the right approach and this is vulnerable? The only issue is seen is that register/enable token APIs are exposed publically. But we have also added the security to that, is that good enough?