0

Secure Ninox API calls

Hi,

I've just started looking into the Fetch API to make calls to the Ninox server from the Ninox client side (web app). I'm a bit worried about exposing the Ninox API Key this way.

Can anyone with experience tell us the best way to do this safely?

 I saw in this post that you mentioned something about an external script. Could you tell us a bit more about this external script? Could you tell us how you put this script into practice?

Thank you all.

 

6 replies

null
    • mengelhardt
    • 2 mths ago
    • Reported - view

    Essentially you route the request to the ninox api through a script that you install on some machine you control. e.g. if you have a webspace, you would put a php script there, that you call from your nxscript code. in the php script you request the data from the ninox api. after receiving data, the php script returns this data to the nxscript's call.

    since the php script's code is set to be unreadable (you must make sure of that), the api key is hidden from any attacker. unless of course, the php script or the machine it's installed on, gets hacked.

    you can ask bolt.new or copilot to write the php script for you. but remember to double check what they give you. also, don't forward all requests to the ninox api through the php script unchecked. otherwise you expose too much data to the internet or you might get DOS'ed.

      • szormpas
      • 2 mths ago
      • Reported - view

        thank you for taking the time to answer. If I'm the only one using the Ninox platform, the risk is still the same?

      • mengelhardt
      • 2 mths ago
      • Reported - view

      in that case no one can see your api key, unless there's some serious hacking involved, maybe if you unwittingly embed some malicious external script. other than that, you can assume it's safe.

      What is your use case for accessing the api from within ninox? Maybe using the relatively new

      do as database

      https://docs.ninox.com/en/manage-databases/modularity/do-as-database-...-end

      construct would work for you as well?

      • szormpas
      • 2 mths ago
      • Reported - view

        , thanks, but I'm afraid "do as database ... end" is only available for Private Cloud and On-Premises.

      I want to enhance my Ninox application by using custom JavaScript or ready-made JS libraries inside Ninox's html() function in formula fields.

      In this case, I use the fetch() function to retrieve data from or send data to the Ninox API server.

      You can explore such a kind of implementation in the Dashboard Template thread.

      Please feel free to comment on the security threats of such an approach.

      • mengelhardt
      • 2 mths ago
      • Reported - view

      so if a lot of people use this example you linked, it probably wouldn't hurt to mention the api key's visibility problem to them. the linked thread is a bit tldr for me, so maybe it's been mentioned already...

      • szormpas
      • 2 mths ago
      • Reported - view

        , thanks a lot. I'll post a related note for forum members.