2

Perhaps I'm asking for something impossible, but here we go: I'm trying to find a way to authenticate client requests to an API, but some clients can only use JavaScript to send their requests (they use hosted services which don't allow to write a single line of server-side code). This means that any API Key, secret or hash has to be handled by JavaScript, effectively making them useless.

I've seen some APIs using a heavily obfuscated code, but, in my opinion, such approach gives a false sense of security (it can be easily read with JavaScript Beautifier). Is there any better approach?

Thanks in advance for all the answers.

Improve this question
5
  • 1
    If the client goes through an ordinary authentication process (with https of course), and a session is established, then ajax API accesses will be secure. Isn't that good enough? Commented Apr 5, 2012 at 20:53
  • @Pointy The issue is that the client would still have to authenticate, somehow, and this means passing credentials (via JavaScript, once again), which would be in plain text. Authentication won't require any user interaction. Commented Apr 5, 2012 at 21:06
  • @Diego yes I misunderstood the situation a little when I first read it. If there's no user-supplied "secrets" involved, and the JavaScript has to authenticate automatically, then there's really nothing you can do to hide stuff. Commented Apr 5, 2012 at 21:08
  • Is your actual server has an authentication system? Token based or cookie based... Or is it a completely public API without any authentication? Commented Jun 24, 2015 at 22:46
  • Oh, question is 3 years old! Time flies.. Commented Jun 24, 2015 at 22:49

2 Answers 2

Reset to default
2

No, JavaScript is open, which means zero security.

The most sensible thing to do is proxy the API through a server you own, then get people to sign up to the server with their keys.

This means even though they can't have any server-side code, it's ok, because your hosting the server for them.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Yes, JavaScript is open, but even a single-page all-JavaScript site can use ordinary authentication techniques to establish a secure session. Of course if this is some kind of JSONP thing, then yes it's not possible to keep the security information secret.
@Pointy true, but that requires a server, he doesn't have one
Ah OK I just re-read that first paragraph; I misunderstood at first.
@Raynos I was thinking of putting a "server in the middle", but I'm still wondering how would clients authenticate to it. The JavaScript would still contain the authentication to the proxy, which would be visible.
@Raynos No can do, unfortunately. As I replied to Hexxagonal, JavaScript will run on clients' browser, therefore I can't predict their IP addresses.
2

There really isn't a way to do this entirely with JavaScript. The only option I have ever used is limiting by IP addresses or some other form of authentication for the JavaScript clients. After authentication/authorization then pass them over HTTPS their secret key that only remains with the client for a bit (i.e. not stored anywhere).

The disadvantage is that a smart, malicious user could pretty easily debug into the JavaScript and ascertain this key.

Improve this answer

1 Comment

Thanks for your suggestion. Unfortunately, JavaScript will run on clients' browser, therefore I can't predict the IP and filter it. Regarding HTTPS, it won't help in this case, as all requests would be send uniquely via JavaScript and, therefore, visible to anyone. As you confirmed, there isn't a way to do it with JavaScript only, which confirms my ideas.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.