Question

I am using google authentication in an android app , and after fetching the necessary details from google api , i am sending it to the backend which has a php handler to store the info into the database backend.
For e.g lets say my backend has a php file named storeindb.php
So i would send a post request to that link "http:\\example.com\storeindb.php" with credentials.
But problem with this approach is , anyone can know this link (using wireshark) and then send a post request to this link without even logging in with google account, Thus anyone could spam and fill the db with fake accounts.

Answer 1

What can I do to store the values in the database only after google authentication?

Answer 2

@Opcode

Answer 3

If you're fetching the necessary details from the Google API before writing, just test to make sure that you have the correct details before writing. You should also consider forcing HTTPS instead of HTTP.

Answer 4

That is the question actually, How do i test if the details are correct?.. Also i know there is one way to get some id token and send it over HTTPS and then getting the details on the server side , but that requires HTTPS. Is there any HTTP way to do it?

Answer 5

Create a single use token on your side then send it to the client. Assuming the data flows from the Google API to your server, intercept the data, and attach the single use token made specifically for them. (Perhaps tie it to their user id.) From there it is simply adding a check for a request without a single use token which gets thrown away.

The issue with this though is it may increase the server load, and it still does not encrypt the user's credentials which is unsafe.

As for testing that their details is correct, you need to change your structure from client-oriented to server-oriented so that the server does all this.

Answer 6

lol "fetching"