The Movie Database Support
Support → API Support
[Security] v3 Auth secret passed in URL
posted by KnossosSTAFFMOD on August 31, 2019 at 10:35 PM
The v3 auth is inherently insecure as passing secrets in a URL (e.g. session id, API key, etc) is a security vulnerability as they are saved in browser history, server logs, people can post a link containing credentials unaware that they have exposed their auth details, can be exposed in the 'Referer' header, can be cached by analytics companies, etc.
The v4 auth uses a Bearer token in a header to avoid this vulnerability, however it appears to require a User token to authenticate, as such there is no secure way to authenticate an application without user credentials.
Would it be possible to add support for passing the API key and Session ID in a header for a more secure v3 auth? Would it also be possible to add support for generating v4 auth application and guest session tokens that do not require user credentials?
Reply by Travis Bell
on September 3, 2019 at 10:07 AM
v3 is getting support for the Bearer tokens shortly (next week or two). My open ticket for that is here.
You can currently use your read token as a replacement for the
api_keyparam on v4, and that's what will be getting added to v3. This token does not need user authentication, feature wise, it has parity with theapi_key. The only thing needing user auth is the user features, same as the way session ID's and guest session ID's work.I can post an update on this discussion when v3 has support for the bearer token.
Reply by Travis Bell
on September 5, 2019 at 4:58 PM
If you wish, you can now use the same method to authenticate v3 & v4. Just pass your v4 token in as a
Authorizationheader, as a Bearer token. Same as v4.Reply by Knossos
on September 6, 2019 at 11:51 AM
Awesome, thanks!