stackoom
  简体   繁体   中英

Can authentication via JS be faked? (Using 3rd party Authentication)

 原文  2016-07-21 21:00:30       javascript/ python/ django/ authentication/ twitter-fabric

Question

I am looking to override the authentication for my Django backend with Twitter Fabric's Digits . Digits allows you to sign in without a password, it is cellphone mobile authentication.

The trick is, they provide an embed widget for your frontend (JS). This widget allows you to send requests and returns whether the user is authenticated or not.

Currently I have two ideas for integrating this with Django.

  1. Embed the script, wait for a response, and send the response to the backend. Let the backend parse the script.
  2. Figure out the endpoints and ping them from the backend, essentially rewrite Fabric's Digits JS functions in Python.

I'd really like to do idea 1 but am unsure whether this is secure enough. Can the response of the request be spoofed? Are there vulnerabilities to option 1?

1 answers

solution1
 2 ACCPTED  2016-07-21 21:13:46

Option #1 isn't enough, but you do need to send the response to the server, and you don't need to do #2.

If you just went with your first option and didn't do any server-side validation of the response, they could easily mock the response that you would've forwarded to the backend. Remember (ignoring firewalls) the user can send anything they want to your server backend bypassing all client-side validation.

What you need to do is verify that the response your server receives from the frontend, is valid, by using Digits API from your backend. See the documentation :

From your web server, over SSL, you can use this response to securely request the userID, phone number, and oAuth tokens of the Digits user. With this approach, there is no need to configure OAuth signing, or configure and host a callback url for Digits.

As additional security measures, you will want to on your webhost:

  • Validate the oauth_consumer_key header value matches your oauth consumer key, to ensure the user is logging into your site
  • Verify the X-Auth-Service-Provider header, by parsing the uri and asserting the domain is api.twitter.com or www.digits.com, to ensure you call Twitter.
  • Validate the response from the verify_credentials call to ensure the user is successfully logged in

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to handle the authentication using 3rd party login in Angularjs 3rd party Authentication Issues in Google Appscript Using a 3rd party js file with TypeScript How to communicate securely (with proper authentication) to a 3rd party api on the client? Same domain AJAX calls being redirected by 3rd party authentication How can I vendor a 3rd party js lib via a script tag in Ember? Can't use 3rd party components with Vue JS as CDN Can a 3rd party js script write cookies? Can a 3rd party JS app submit HTML snapshots? namespacing 3rd party js libs using rails 3 asset pipeline
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM