Connecting the HTML5 app to a database on a server *Safely*
Question
I am trying to connect a HTML5 mobile phonegap app to a database (MongoDB) safely. The app is going to be on the app stores and no one can see the code. I had a few questions regarding the same. As far as I know there are 2 ways to do this, one is using the RESTful services and the other is using database drivers (I am having problems with this method so used the HTTP request method). So here are my questions,
When I use RESTful services to connect to the database I have to include the HTTP query which includes the API key . My question: is it safe to use it this way? I am planning to store some sensitive information on the database but am planning to encrypt it. But I do not want anyone to see my API KEY because if one sees the API key then its easy to get access of the information on the database. The API KEY is hardcoded in one of the javascript files.
Is there a safe way to use the REST API key in javascript?
1 answers
solution1
2 ACCPTED 2014-10-28 12:18:45
Best way is to put an oAuth 2.0 layer between app ( Client ) and DB ( Resource Server ). Here the "Resource Owner" is the end-user.
You may use "Implicit", "Resource Owner Password Credentials" or "Client Credentials". Do read about " Access Tokens " and " Refresh Tokens " also.
Abstract Protocol Flow (Copied from here )
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.