0

I am looking for the best way to secure my applications login api from third parties attempting to hijack it. I am using Apigility, ZF2, Jquery.

I have a game server (Server G) and a cloud server (Server C).

While Server C - holds usernames and passwords, users sign up and login via server G.

Both server C and G have their own API's using ApiGility.

When a user logs into server G, the jquery app calls its own API which in turn uses Oauth2 to contact server C to verify the entered credentials. This way, every game in my network has a single Bearer token connection to my cloud and each game handles its own connections to its clients (mobile / browser / desktop etc.). Keeps things clean.

While server G to C is secure, how do I secure the javascript call to its own API ?

enter image description here

The javascript exposes the local apps api call which essentially means anyone can grab the url and play with it :)

 var url ='http://server-g.example.com/api/login/' + email + '/' + password;

 $.ajax({
     type:  'GET',
     async: true,
     url:   url,
     dataType: "json",
     success: function(responseObject){
         if (responseObject.status)
         {
             //Do stuff    
         } else {
             //Do other stuff
         }
     }
 });

I have been thinking of using an implicit grant, however, I am not sure how this would work with my own api?

What would the standard solution be?

HappyCoder
  • 5,985
  • 6
  • 42
  • 73

1 Answers1

2

You should never send the password and email in the url like that.

I wonder what documentation from Apigility you used to setup this authentication.

You should send the username and password in a POST request and use a properly setup https connection. The data sent will be encrypted with a certificate and like this you prevent that the data can be read when intercepted.

Read more on how to use OAuth in Apigility here especially at:

Public Clients

The example shows:

POST /oauth HTTP/1.1
Accept: application/json
Content-Type: application/json

{
    "grant_type": "password",
    "username": "testuser",
    "password": "testpass",
    "client_id": "testclient2"
}
Wilt
  • 41,477
  • 12
  • 152
  • 203
  • @Alex, can you be more specific. There are also [docs on how to use http basic in Apigility](https://apigility.org/documentation/auth/authentication-http-basic). It is definitely not done as in the above question. – Wilt May 19 '15 at 08:54
  • Thank you Wilt, this solves my issue. I was not thinking beyond using GET to check and POST to update. – HappyCoder May 19 '15 at 08:57