1

I'm new to web development and was recently learning about REST APIs and security with JWT tokens, but I am a bit confused about the security aspect in regards to websites without any kind of user signup/login.

Lets say I want to make a basic website from the approach of a REST API, but it only does GET requests and doesn't require any kind of signup/login whatsoever. The website would simply just render content to the page from a database using AJAX via GET requests whenever a user, for example, clicks a button or scrolls down.

In this case, do those GET requests require any form of authentication/authorization even though the website doesn't require any login/signups or any form of PUT, POST or DELETE requests to modify data?

I know this might be a simple question, but I just can't seem to find an explanation anywhere. I'm probably just searching incorrectly

incognito
  • 13
  • 3

1 Answers1

0

You can create a GET API without requiring authentication, yes. An example of this is Reddit's JSON API. https://reddit.com/.json is a simple way to view a page on their site in JSON format, which can then be parsed by my server to display reddit content. No login, no posts, no authentication.

However, you will notice that Reddit limits what you can do with that... I can only read information. It is NOT secure to allow database modifications through GET when the values supplied are coming from the user, and especially if you aren't using HTTPS protocol with other secure methods of authenticating too. I say this because when you don't have proper rate limits in place, and no formal method of authenticating who is connecting to your server, it becomes incredibly easy to crash your database tables if you are allowing DB changes on the fly through the API..

Now, for JWT - This article here is a great one that I usually send people to: https://jwt.io/introduction/

It breaks it down fairly well, but ultimately you are going to realize that JWT is not too ideal for no login systems. but not impossible. Here are 2 examples of similar questions on SO that may help you :)

Secure REST API without user authentification (no credentials)

How to use JWT without user and login?

Hope this all helps you make an informed decision.

If you really don't want logins, have you considered email-verification ? It's just, the purpose of JWT is kind of weakened without a method of validating who is coming with the token through other means. I personally wouldn't rely on JWT as a standalone measure of security.

Here's an example of a simple & secure REST API... This would allow someone to fetch some content for a blog article (id) or something like that. 

<?php 
if(isset($_GET['content'])){
$id = FILTER_VAR($_GET['content'], FILTER_SANITIZE_NUMBER_INT);
$db = $connect->prepare("SELECT content FROM table WHERE id = ?");
$db->bind_param("i", $id); 
$db->execute();
$db->bind_result($content);
$db->fetch();
$db->close();
echo $content; 
} else {
echo "What do you want?"; 
}
?>

No tokens needed, no login needed.. that's a simple database fetch & output for a GET API.

Nerdi.org
  • 895
  • 6
  • 13