2

Perhaps I'm asking for something impossible, but here we go: I'm trying to find a way to authenticate client requests to an API, but some clients can only use JavaScript to send their requests (they use hosted services which don't allow to write a single line of server-side code). This means that any API Key, secret or hash has to be handled by JavaScript, effectively making them useless.

I've seen some APIs using a heavily obfuscated code, but, in my opinion, such approach gives a false sense of security (it can be easily read with JavaScript Beautifier). Is there any better approach?

Thanks in advance for all the answers.

Diego
  • 7,312
  • 5
  • 31
  • 38
  • 1
    If the client goes through an ordinary authentication process (with https of course), and a session is established, then ajax API accesses will be secure. Isn't that good enough? – Pointy Apr 05 '12 at 20:53
  • @Pointy The issue is that the client would still have to authenticate, somehow, and this means passing credentials (via JavaScript, once again), which would be in plain text. Authentication won't require any user interaction. – Diego Apr 05 '12 at 21:06
  • @Diego yes I misunderstood the situation a little when I first read it. If there's no user-supplied "secrets" involved, and the JavaScript has to authenticate automatically, then there's really nothing you can do to hide stuff. – Pointy Apr 05 '12 at 21:08
  • Is your actual server has an authentication system? Token based or cookie based... Or is it a completely public API without any authentication? – Murat Çorlu Jun 24 '15 at 22:46
  • Oh, question is 3 years old! Time flies.. – Murat Çorlu Jun 24 '15 at 22:49

2 Answers2

2

No, JavaScript is open, which means zero security.

The most sensible thing to do is proxy the API through a server you own, then get people to sign up to the server with their keys.

This means even though they can't have any server-side code, it's ok, because your hosting the server for them.

Raynos
  • 166,823
  • 56
  • 351
  • 396
  • Yes, JavaScript is open, but even a single-page all-JavaScript site can use ordinary authentication techniques to establish a secure session. Of course if this is some kind of JSONP thing, then yes it's not possible to keep the security information secret. – Pointy Apr 05 '12 at 20:54
  • @Pointy true, but that requires a server, he doesn't have one – Raynos Apr 05 '12 at 20:57
  • Ah OK I just re-read that first paragraph; I misunderstood at first. – Pointy Apr 05 '12 at 20:58
  • @Raynos I was thinking of putting a "server in the middle", but I'm still wondering how would clients authenticate to it. The JavaScript would still contain the authentication to the proxy, which would be visible. – Diego Apr 05 '12 at 21:08
  • @Raynos No can do, unfortunately. As I replied to Hexxagonal, JavaScript will run on clients' browser, therefore I can't predict their IP addresses. – Diego Apr 05 '12 at 21:16
2

There really isn't a way to do this entirely with JavaScript. The only option I have ever used is limiting by IP addresses or some other form of authentication for the JavaScript clients. After authentication/authorization then pass them over HTTPS their secret key that only remains with the client for a bit (i.e. not stored anywhere).

The disadvantage is that a smart, malicious user could pretty easily debug into the JavaScript and ascertain this key.

scottheckel
  • 9,106
  • 1
  • 35
  • 47
  • Thanks for your suggestion. Unfortunately, JavaScript will run on clients' browser, therefore I can't predict the IP and filter it. Regarding HTTPS, it won't help in this case, as all requests would be send uniquely via JavaScript and, therefore, visible to anyone. As you confirmed, there isn't a way to do it with JavaScript only, which confirms my ideas. – Diego Apr 05 '12 at 21:14