stackoom
  简体   繁体   中英

REST API: Securely Handle Authentication in a Javascript SPA

 原文  2013-10-29 12:38:09       javascript/ api/ security/ rest/ single-page-application

Question

We're developing a single page application in Javascript using DurandalJS that's going to be the client for a REST API server.

Here's the way we've thought out the authentication process:

Step 1

The client is going to have an API key and a private key; the API key is going to be public, while the private key is going to be secret and used only for signing the request (the signature is going to be recreated by the server and compared, similar to two-legged OAuth).

The client is going to make a POST call to https://api/sessions/ and we're going to send as params:

  • api key
  • user / pass
  • nonce
  • timestamp
  • signature (HMAC of params using the private key)

Step 2

The server is going to respond with auth_token that's going to be used by the client in the subsequent requests in order to identify the user. This token is going to be short-lived (eg set to expire in an hour).

The auth_token is going to be assigned to a certain user_id and API key, so it couldn't be valid if used by another API key.

Step 3

Any subsequent request has to include API key, nonce, timestamp, auth_token and signature. The nonce and the timestamp are used to filter out the replay attacks by the man in the middle while the encryption will be secured by SSL.

The downside of using a Javascript SPA is the fact that the code is public via console and therefore the private key might be discovered. However, even if an attacker discovers and recreates the signature, any requests will not be valid without auth_token. Since the token is obtained in a secure HTTPS connection by calling https://api/sessions , the man in the middle cannot get hold of it.

We could add another layer of security by obfuscating the JS code, but this is security through obscurity.

My question is: Is there a more secure way to handle the authentication process using a SPA JS client?

Thanks!

1 answers

solution1
 1  2013-11-06 01:28:34

Consider using an Apigee proxy implementing OAuth. Please see the following documentation: http://apigee.com/docs/api-platform/content/secure-calls-your-api-through-oauth-20-client-credentials . An Apigee free trial account has this enabled.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question REST API authentication in anonymous JavaScript client JavaScript app to Symfony API rest authentication REST API Authentication from Javascript in the browser Authorization and Authentication to REST API from JavaScript Client Sharepoint authentication using javascript Rest api or jquery Securely implementing the Javascript SDK for Facebook Authentication Send data securely NODEjs - REST API Deploying a Symfony2 back-end REST API and a front-end SPA javascript app OWIN and Forms Authentication with WEB API 2 with SPA How to handle and log error in Javascript in Large SPA
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM