How to prevent my external API call from being called by anyone but me (my site)

Question

My site sends different data to an external API under different circumstances. Luckily, most of it happens on form submissions, but there are a few instances where I need to make an API call from the client-side when a custom event fires.

$(document).on('someCustomEvent', function() {
  $.ajax({
    url: '/wp-admin/admin-ajax.php',
    method: 'post',
    data: {
      uid: 'vfwekwedefkw6lqekvwdkdvwsav=dwdsav9dsq',
      action: 'add_user_by_uid'
    }
  });
});

Then in functions.php I have:

function add_user_by_uid() {
  $basic_auth = 'Basic ' . base64_encode( PUBLIC_KEY . ':' . PRIVATE_KEY );
  $headers = array( 
    'Authorization' => $basic_auth,
    'Content-type' => 'application/json'
  );

  return = wp_remote_post( 'https://api.example.com/add/', array(
    'headers' => $headers,
    'body' => json_encode(array('uid' => $_POST['uid'])
    )
  );
  die();
}

How can I prevent someone from creating their own POST request and executing this API call from their own site (obviously at times other than when someCustomEvent fires)?

0
Daveh0 3 months 0 Answers 10 views 0

Leave an answer