5

We are trying to develop an API for our service and we are doubting in how to accomplish the authentication process. Our clients have to be able to include a .js file which connects with our Node.js server. The key point here is that our backend must track the use of the API so our clients are going to be charged according to its use.

Our intention is to design the API as simple as possible for the users, as well as making it secure. We have thought of:

  • Creating an API_KEY for each user and matching it with their domains in every request. Problem here could be that the domain is not the most secure option, isn't it? We understand that the domain may be supplanted in an HTTP request.

  • Using a SDK with an API_KEY and SECRET_KEY to generate a token for a given session and user. I don't dislike at all this option but we would prefer a simpler solution for the developers, which would not imply using several APIs.

Do you have any ideas/suggestion/considerations/whatever?

Thanks in advance.

Rubén Jiménez
  • 1,835
  • 5
  • 21
  • 29
  • If by 'the domain' you mean the value passed in the `Origin` header, this is not spoofable on newer browsers that support CORS. It can still be spoofed on older browsers (notably IE) but this might be acceptable because a single newer-browser request could expose the subterfuge - they could only get away with it if all their users were on IE. – bobince Apr 16 '13 at 09:39

1 Answers1

3

I like your second option best. In addition to an API_KEY and SECRET_KEY you can do a number of other things.

First of all make sure all requests are done through HTTPs. It is the single most important security feature you can add... and its easy to do.

Second if you want to make things super secure send a timestamp from the client. This timestamp can be used to hash the SECRET_KEY providing you protection against someone recreating data.

Your client would send the following with every request:

1) timestamp - you would store this in your database and reject any new requests with a smaller number

2) API_KEY - essentially a userID

3) signature - this is a hash of the SECRET_KEY, timestamp, and API_KEY. (The hashing algorithm and order of parameters is generally unimportant. SHA1 is pretty decent) Your server can calculate this hash to validate that this client actually knows the SECRET_KEY. At no time should your client ever disclose the SECRET_KEY to anyone.

You can also look into the OAuth standard. I believe NodeJS and Javascript in general both have libraries for it. NodeJS OAuth Provider

Community
  • 1
  • 1
Gunnar Hoffman
  • 1,226
  • 1
  • 11
  • 11
  • 2
    Is it possible to avoid disclosing the SECRET_KEY to any users(including the actual user) when dealing only in JavaScript? – Sti Jun 05 '14 at 16:50
  • @Sti Just wondering / hoping you now know the answer! sincerely Mr Curious – jamesmstone Dec 06 '15 at 08:37