Technically Feasible

API Callback URLs and HTTP Authentication

Likeness of Michael Oldroyd
Michael Oldroyd
⚠️ This content was imported from a previous incarnation of this blog, and may contain formatting errors

When developing web applications that use APIs, it is usually necessary to have the development site accessible for API callback URLs. A good example would be when working with payment gateway systems, which typically post back success or failure of transactions. In this event it is convenient to use HTTP authorisation to prevent outside access (users, crawlers, etc.). The issue with this is that API systems don't always work with the http://[user]@[password]:[url] method of manually passing through this authentication method.

If this case, and you are using Apache, you can always bypass HTTP authentication altogether;

Order deny,allow
Deny from all
AuthUserFile "/path/to/htusers"
AuthType Basic
AuthName "Dev"
require valid-user
allow from 192.168.1.0/24 # Allow traffic from example internal network addresses
allow from 127 # Allow all traffic on loopback address
allow from X.X.X.0/24 # Allow all traffic from External IP address range
Satisfy Any

The key here is the "Satisfy Any" directive. This instructs Apache to allow a connection to authenticate if any of the conditions are true. Traffic from the specified IP addresses will now bypass authentication, meaning that any API callbacks can poll the application endpoints you have set up. This method does rely on the callbacks coming from a specific IP address or IP range. It may not be a workable solution if the callbacks can originate from multiple unknown addresses, such as cloud services.

The other thing to note; if placed directly into a VirtualHost directive, this gives full access to the site / virtual domain to these IP addresses. This could potentially be an issue, which can be resolved by placing them within Location or Directory directives. This allows you to restrict access to specific directories or URLs within the application. Which you require depends purely upon how your API callbacks are implemented.

Image of me

Michael Oldroyd

Michael is a Software Engineer working in the North West of England.