Securing your API key

Not every project using the API requires a server to run, but every project using the API is required to properly secure their API key. Embedding API keys in a client-side application is never safe. When a user is in control of the device with the embedded key, there are a multitude of ways they can retrieve the key. As such, projects such as mobile apps, chrome extensions, and desktop applications are required to proxy all requests to the API through infrastructure they're in control of.

Typically this is accomplished by running a web service with a custom API. This creates several advantages, you can cache the data you retrieve from the API, properly respect rate limits (avoiding blacklisting), and make changes to how data is served to your mobile app on the fly. If API calls are made directly within the application, the developer has limited ability to react when there are changes to the API.

There is a middle ground! Projects can choose to proxy their requests through a generic proxy service. In essence, the mobile app requests data from the proxy and the proxy forwards the request to the API. This allows the developer to potentially modify the proxy if they need to. Here is how this generally works:

1. The app calls the proxy, e.g., https://www.example.com/summoner/{routing-value}/{summonerId}
2. The proxy calls the API at https://{routing-value}.api.riotgames.com/lol/summoner/v4/summoners/{summonerId}
3. The proxy returns the response to the app.

There are several sites that offer various API services. I'll provide a list below and feel free to let me know in the comments if there are others.

* AWS Lambdas along side AWS API Gateway (free tier 1 million API calls a month)
* apigee (free tier 100k API calls a month)

Today, I'm going to be working on a rough guide on how to proxy requests to the Riot Games API using AWS Lambdas and the AWS API Gateway.

Note: In order to complete this guide, you'll have to have an AWS account.

1. First we'll start off by creating an AWS Lambda which you'll find located within the Compute section. We'll be creating our Lambda in the NorCal region (us-west-1), if you're deploying your proxy in a different region you'll want to select that region before starting this guide.

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/lambda1.png
https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/lambda2.png

2. When creating a new Lambda, AWS offers a couple different templates to start from. We'll just be selecting Author from scratch indicated with an orange button.

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/lambda3.png

3. Next, it'll ask if we'd like to Add trigger. We'll skip this step by pressing the Next button.

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/lambda4.png

4. It'll ask for some basic information about the Lambda.
Name: RGAPI_getSummonerById
Description: Proxy a request to the Riot Games API to retrieve a summoner by their id.
Runtime: Node.js 4.3
---
Code entry type: Edit code inline
Code: https://pastebin.com/Q5XRyBHk
---
Role: Create new role from template(s)
Role name: rgapi-lambda
Policy templates: Basic Edge Lambda permissions
---
Memory: 128 MB
Timeout: 3 sec

We'll review the AWS Lambda by pressing the Next button and complete the creation by pressing Create function on the next page.

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/lambda5.png
https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/lambda6.png

5. Next, we'll head over the AWS API Gateway to create an interface to execute and return the result of the Lambda we just created.

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway1.png

6. When creating a new API, we're presented with three options: new api, import from swagger, or example api. We're be creating a new api from scratch.
API name: rgapi-proxy
Description: Proxy requests to the Riot Games API

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway2.png

7. Under Resources, there's a drop down menu titled Actions. We'll use the Create Resource option within the menu to create a the summoner resource and two path params: region, and id.

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway3.png
https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway4.png
https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway5.png

8. Again under the Action menu, we'll use the Create Method option to add a GET http request method to the id path parameter.
Integration type: Lambda Function
Use Lambda Proxy Integration: true
Lambda Region: us-west-1 (for this guide)
Lambda Function: RGAPI_getSummonerById

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway6.png

9. Finally under the Action menu, we'll select Deploy API. We'll need to fill out some information for a new deployment stage.
Deployment stage: [New Stage]
Stage name: rgapi
Stage description: rgapi
Deployment description: initial deploy

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway7.png
https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway8.png

10. Finally, we'll navigate to the GET method to find the Invoke URL for our new API. In this case, it was https://diylesd0nh.execute-api.us-west-1.amazonaws.com/rgapi/summoner/{region}/{id}

https://s3-us-west-1.amazonaws.com/riot-developer-portal/guides/apigateway9.png

11. Tada! We've done it. We're now proxying requests through AWS API Gateway and AWS Lambdas appending the API key along the way. This keeps your API key secure, while still allowing your project to make API calls from the client.

Hopefully this guide has been helpful, let me know if you have questions.