Jump to content

Problem with license authentication system using IPB web API

Interferon
 Share
Go to solution Solved by teraßyte,

Recommended Posts

Interferon Experienced

Interferon

Posted
Posted (edited)

We have our own license management system based on IPB for our desktop software application. In order to prevent interception of the network traffic, which could be used for software piracy, we encrypt requests and responses between the desktop application and a PHP script on our server. The PHP script then uses the IPB web API to retrieve information about the user's license. The response to the user is encrypted, so they cannot intercept the response to spoof a fake valid license.

Could contain: Text

The system works really well, except for one problem. If any automatic security actions kick in, the entire user base can be blocked from accessing their license info. If one user tries to log in too many times with a bad password, IPB bans the IP address where the requests are coming from, which happens to be its own server! This means all requests from the PHP script hosted on the same server are blocked. The solution is to manually un-ban the IP address. Since there is no whitelist of IP addresses NOT to ban, I have to do this manually any time it happens.

The other error I have seen is a message "TOO_MANY_REQUESTS_WITH_BAD_KEY". I do not know how to resolve this problem. Our entire user base is currently blocked from using the software because of this error.

How do you advise I deal with these issues?

 

Edited by Interferon
Link to comment
Share on other sites
  • Interferon changed the title to Problem with license authentication system using IPB web API
Jim M Grand Master

Jim M

Posted
Posted
27 minutes ago, Interferon said:

This means all requests from the PHP script hosted on the same server are blocked. The solution is to manually un-ban the IP address. Since there is no whitelist of IP addresses NOT to ban, I have to do this manually any time it happens.

As you are utilizing the API in an abnormal manner here, you may encounter some "bumps in the road" as you have here. There is currently no whitelist. You can try restricting your API Key to your server's IP address if you haven't, however, likely this may be a new feature you need to suggest in our Feedback forum to allow for. Generally, it isn't a good idea in an API system like this.

27 minutes ago, Interferon said:

The other error I have seen is a message "TOO_MANY_REQUESTS_WITH_BAD_KEY". I do not know how to resolve this problem. Our entire user base is currently blocked from using the software because of this error.

Is the server sending no, bad, or corrupted key at any point or is the request not completing? This would be the only case to encounter this issue.

Link to comment
Share on other sites
Interferon Experienced

Interferon

Posted
  • Author
Posted (edited)

The server is passing on whatever authentication token the client application sends.

3 minutes ago, Jim M said:

Generally, it isn't a good idea in an API system like this.

How can a desktop application use the IPB API to securely verify license info without being vulnerable to spoofed responses?

Edited by Interferon
Link to comment
Share on other sites
Interferon Experienced

Interferon

Posted
  • Author
Posted (edited)
1 minute ago, Jim M said:

The system is designed in an OAUTH API style so the client would be making the direct request to the system.

Is this a way of saying "this is not a supported capability"?

One way to solve this would be to have an encryption key, or series of keys, that both the client and server have access to, to encrypt the responses.

Edited by Interferon
Link to comment
Share on other sites
Jim M Grand Master

Jim M

Posted
Posted
1 minute ago, Interferon said:

Is this a way of saying "this is not a supported capability"?

As mentioned, you are using the system is a way it isn't currently designed to so you would need to make Feedback suggestions to change anything which you see doesn't fit how you are using it. This will be evaluated by our team and see if it fits the needs and design of the feature.

Link to comment
Share on other sites
teraßyte Grand Master

teraßyte

Posted
Posted

It clears up after 5 minutes: 

		/* If we have tried to access the API with a bad key more than once in the last 5 minutes, throw an error to prevent brute-forcing */
		if ( \IPS\Db::i()->select( 'COUNT(*)', 'core_api_logs', array( 'ip_address=? AND is_bad_key=1 AND date>?', \IPS\Request::i()->ipAddress(), \IPS\DateTime::create()->sub( new \DateInterval( 'PT5M' ) )->getTimestamp() ) )->first() > 1 )
		{
			throw new \IPS\Api\Exception( 'TOO_MANY_REQUESTS_WITH_BAD_KEY', '1S290/D', 429 );
		}

 

It's also possible to make a modification to whitelist IP addresses. It needs a couple of hooks on some functions, but it's doable. I did it for a client before as part of a bigger request.

Link to comment
Share on other sites
Interferon Experienced

Interferon

Posted
  • Author
Posted
1 hour ago, Randy Calvert said:

How often is the desktop client checking the license. If it’s checking more than once in 5 minutes, you might consider having it only do it hourly or daily. 

Only when the user checks for updates which is not very frequent, but there are thousands of users doing the same thing.

2 hours ago, teraßyte said:

It's also possible to make a modification to whitelist IP addresses. It needs a couple of hooks on some functions, but it's doable. I did it for a client before as part of a bigger request.

Where can I find the code file where the IP addresses get banned? I just need to enter our server's own IP address. I don't mind hard-coding it.

Link to comment
Share on other sites
Randy Calvert Grand Master

Randy Calvert

Posted
Posted
3 minutes ago, Interferon said:

Only when the user checks for updates which is not very frequent, but there are thousands of users doing the same thing.

Are those users all behind the same IP address?  Based on the code pasted above, this looks to be happening when a single IP triggers more than one error within a 5 min period.  So if a user just manually mashes a validate button over and over this could be a problem. Maybe building in a check to restrict how many times it can be manually checked?

If you have a ton of users all share a proxy IP, that obviously would not work. 

Link to comment
Share on other sites
Interferon Experienced

Interferon

Posted
  • Author
Posted
2 minutes ago, Randy Calvert said:

Are those users all behind the same IP address?  Based on the code pasted above, this looks to be happening when a single IP triggers more than one error within a 5 min period.  So if a user just manually mashes a validate button over and over this could be a problem. Maybe building in a check to restrict how many times it can be manually checked?

If you have a ton of users all share a proxy IP, that obviously would not work. 

Please re-read the original post if you are interested in this subject.

Link to comment
Share on other sites
  • Solution
teraßyte Grand Master

teraßyte

Posted
  • Solution
Posted
15 minutes ago, Interferon said:

Where can I find the code file where the IP addresses get banned? I just need to enter our server's own IP address. I don't mind hard-coding it.

The function that checks if the IP is banned or has made too many bad requests is the function _checkIpAddressIsAllowed() in system/Dispatcher/Api.php on lines 198-230.

Link to comment
Share on other sites
Interferon Experienced

Interferon

Posted
  • Author
Posted

Thank you. The primary issue is solved. It is still possible to trigger the bad key error, but I have only seen this happen once and I prefer to leave the check in until I add protection from brute forcing into my script.

Link to comment
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...