USER_API_KEY: is there a read-only version (yes - its all read-only, my mistake)


#1

From my limited understanding it looks like if I share my USER_API_KEY I am giving away the keys to the kingdom.
I think its not quite as bad as giving them my username/password but whoever it gets shared with can do what they want with my account.

For a lot of the extensions this level of access is not required, they only need read-only access to generate stats.

The only apps I want to share my USER_API_KEY with are the third party phone versions as they have tended to work a bit better for me than the web app, and I’m willing to accept the risk of my key being compromised.

But I’m reluctant to paste it in to any of the many web based apps that are linked here for stat purposes. A read-only access key would fix that for me.


#2

I don’t see anything in the API that would let anyone alter your account in any way. As far as I can tell, the API is already read-only.


#3

@baerrach, I used to wonder the same thing, but then discovered the text at the top of the API page:
"WaniKani allows developers to GET public and non-detrimental private content through the use of API by URL."

Private/writable data relies on a session key generated at login, which is different from the API key.


#4

It’s part of my $day job to think about the security implications of things.

I’m currently using the WaniKani Mobile for Android App, and my memory is a little hazy but I recall needing to paste in my api key before it would start working.

And now that I dig a bit more to collect some data I notice that app is no longer supported and I should be using https://play.google.com/store/apps/details?id=tr.xip.wanikani instead… And I can’t use that app (requires Android 4.0 and up).

But the current app looks like it can post as me, and do reviews.
It can’t change settings because that screen requires the password to be provided as well.

So its possible a malicious web page that has your API key could grief your WaniKani account.

With a read-only key that is not possible.


#5
baerrach said...
But the current app looks like it can post as me, and do reviews.
It can't change settings because that screen requires the password to be provided as well.

So its possible a malicious web page that has your API key could grief your WaniKani account.

With a read-only key that is not possible.

Third-party developed app/software permissions != API permissions from WaniKani.

Enlighten us where you found these 'permissions' that allow apps to 'post as you, do reviews as you' - because WaniKani has no 'reviews' section of it's site. The most an app can do is collect your profile data (SRS, 'about me', and the like) - nothing more. Again, the API uses a GET request.

#6
baerrach said...I'm currently using the WaniKani Mobile for Android App, and my memory is a little hazy but I recall needing to paste in my api key before it would start working.

...

But the current app looks like it can post as me, and do reviews.
It can't change settings because that screen requires the password to be provided as well.

Yes you pasted you api key before you could use the app and the api key is used to get all the statistics that is displayed on the main screen of the app.

However when you click on the review button it loads the normal web page for doing reviews in a WebView (the android web browser component) and the first time you do that you have to log in with your username and password. So it's actually not the "app" that is doing the reviews using the API key. It's you who are using a web browser in which you have logged in to WaniKani that is doing the reviews.

#7

@nibarius +1

You can clearly see it is a WebView you are using during the review. It is exactly the wanikani website outlooking. And yes you do have to input your login/password the first time you do the review through the app WebView.


#8

Thanks, that is what I found out by looking through the code and signing out of that app.

It was my mistake to conflate the API with the internal web browser of that app.
I was wondering how the app did that and whether I had been overlooking an API.


#9

Please send me your key. I am not gonna modify anything just extract small amounts of data to develop a genius  plugin.