Hydra Console includes what amounts to a proxy server. Here is an example. To prevent abuse, you should be able to restrict the URIs the proxy server will accept. Typically you would restrict the domain to your service's server.
I suggest that URIs be restricted by a whitelist composed of regular expressions. This is a sketch of how the URI restriction would work.
// allows requests for domains myapi.mydomain.com
// and sandbox.myapi.mydomain.com
$uriFilter = array(
'!^myapi\.mydomain\.com($|/)!',
'!^sandbox\.myapi\.mydomain\.com($|/)!'
);
function isUriAllowed(array $uriFilter, $uri) {
return \array_reduce(
\array_map(
function ($pat) use ($uri) {
return \preg_match($pat, $uri);
}
),
function ($carry, $item) {
return $carry || $item;
},
false
);
}
The $uriFilter must be configurable. For simplicity, this variable can be defined as a PHP array in a separate config file. The config file can be included in a non-global scope. This is a sketch of how that would be done.
function getUriFilter() {
$configFile = 'proxy.config.php';
include $configFile;
if (isset($uriFilter) && \is_array($uriFilter)) {
return $uriFilter;
}
else {
throw new \Exception('Must define array $uriFilter in ' . $configFile);
}
}
This configuration file can be reused for other configuration options particular to the proxy server.
Hydra Console includes what amounts to a proxy server. Here is an example. To prevent abuse, you should be able to restrict the URIs the proxy server will accept. Typically you would restrict the domain to your service's server.
I suggest that URIs be restricted by a whitelist composed of regular expressions. This is a sketch of how the URI restriction would work.
The
$uriFiltermust be configurable. For simplicity, this variable can be defined as a PHP array in a separate config file. The config file can be included in a non-global scope. This is a sketch of how that would be done.This configuration file can be reused for other configuration options particular to the proxy server.