I'm setting two virtual hosts on my local pc, the first domain is http://dev.local and the other one handles the api request http://api.server.local/. The idea is simple, but not sure how to implement this kind of setup. So here's the actual process. The dev.local will send some important parameters and values which the API server read it first and validate the data sent from dev.local.
For example I have the API key provided from API server and being stored in the database together with the domain that can only use that API. So the most important thing is that I want to make sure that only dev.local can do the request. Here is some illustration.
[illustration] https://i.imgur.com/OKu34TM.png
I already tried cURL functions but for some reasons, the data can be access by anyone if they have a copy of the api key. So I want to make sure where the request come from or the origin of the request.
This is the script I have for my dev.local in order to get access to my api.server.local
<?php
$__apiServer = 'http://api.server.local';
$__apiVersion = '1.0';
$__apikey = '7c4a8d09ca3762af61e59520943dc26494f8941b'; // API Key
$__apiEmail = 'johnsmith99@gmail.com'; // Registered Email Address
$__apiUser = 'johnsmith'; // Username
$__curlURL = "";
$__curlURL = "{$__curlURL}{$__apiServer}/v{$__apiVersion}";
$__curlURL = "{$__curlURL}/bin.php?user={$__apiUser}";
$__curlURL = "{$__curlURL}&email={$__apiEmail}";
$__curlURL = "{$__curlURL}&key=$__apikey";
$__curlURL = "{$__curlURL}&domain=$_SERVER[SERVER_NAME]";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $__curlURL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
if(curl_exec($ch) === FALSE) {
echo "Failed to load resource files from the API Server: $__apiServer";
} else {
$__curlURL = curl_exec($ch);
if($err != 1){
eval(' ?>' . $__curlURL);
}
}
curl_close($ch);
I expect that the value can only be return if the required data are valid. For now the ouput can be read as expected but can be accessible by anyone if they have the copy of api key and other credentials.