Calling the Web API once a day from my app's extended feature?

I setup a REST API on my server that contacts the LimeLM Web API to retrieve data for a product key and sends that information to the client that hit my server. I coded it in NodeJS with Express, protected the end points with basic http authentication, and it's working well.

One portion of my app is coded and built in C++, and another portion of the app is a javascript app--which works together with the C++ portion and is considered an extension. For the C++ portion, I am using the libraries supplied by WyDay. It's in this portion of the app that I present the user with a field to enter their product key and call the Activate() function. It's working like a charm.

However, now I want to protect the javascript portion of the app, but it's really just an extension that we charge for on a monthly basis. So, in the javascript portion of the app, it doesn't need to activate the product key itself, it just needs to inspect the custom fields of the product key that was initially activated on the C++ side. So, my question relates to the best practice to grab those custom fields from the javascript side of my app. Is it okay to call my REST API (which calls LimeLM Web API) once a day directly from my app? Is there a better practice for this?

Thank you for your time and help!

Arie

Hey Arie,

You should never directly call web API functions from an application that a user has access to. Really, the only place you should be calling the web API is from:

A. Your web servers.

Or

B. Your back-office systems (accounting / etc.)

Why do I say this? Because in order to use the web API you need to use an API key (which is like a password to your account giving the user complete access to your LimeLM account).

If you want to use the web API from your app, then you need to use it indirectly. For example, your app submits a product key to a script on your web servers, and then your web servers use that product key to look up any information. This way the API key is always completely in control of your web servers.

Does that make sense?

But honestly, for your purposes you should really just be using the TurboActivate function calls.

Yes, I do understand that it is very bad to hit up the Web API directly from the app's source code. That's why I setup a REST API on my server that stores the LimeLM API Key there and then communicates to LimeLM from my webserver. My server's REST API then sends back information from the LimeLM server back to the javascript portion of my app. So, the LimeLM API Key is only on my servers, not in my app's source.

The issue is that there is no TurboActivate javascript library that I can use to protect the javascript portion of my app, so my thinking would be that on the C++ portion of my app, I could do the activation / deactivation / IsGenuineEx calls, and on the javascript side I could call my server's REST API which would send me back information about a particular key. It sounds like my setup is okay, but I was asking if it is okay for my own server's REST API to call LimeLM Web API at least once a day to get information about an activated license.

Is it alright to do this?

Sorry if this isn't clear, I just want to be sure if this model will work well in the long run and as the user base scales up.

Thanks,Arie

Yeah, you can do that. You should also heavily cache things on your servers so you're not depending on 100% uptime from our servers.

Reply
Discard post