Secure API calls made with AngularJS to a 3rd party API using $resource

Question

I have to communicate to a PHP based API using an AngualrJS front end. I have my resource constructed like so:

app.factory('Basket', ['$resource', '$http', 
function($resource, $http){
    $http.defaults.headers.post["Content-Type"] = "text/plain";
    return { 
        newBasket: $resource(env + '/rest/v1/newbasket'),
        newLine: $resource(env + '/rest/v1/newbasketline'),
        removeBasketLine: $resource(env + '/rest/v1/removebasketline'),
        getBasketItems: $resource(env + '/rest/v1/getbasketlines/:hash', {hash: '@hash'}),
        getDbBasketIds: $resource(env + '/rest/v1/getbasketids/:hash', {hash: '@hash'})
    };   
}]);

The API requires me to pass my token in a HTTP header HTTP_APIKEY. I could have the header like so:

$http.defaults.headers.common['APIKEY'] = 'myapikey';

But anyone could view the source code to get my key and then use it for evil purposes.

I can't seem to find any advice on how to securely send an API access token with AngularJS, any ideas?

This is a common situation of all SPA web sites - they store data on the client side so it's accessible for the user and there's nothing to do with that. But you could encrypt your localstorage, as mentioned in this question: http://stackoverflow.com/questions/35739791/encrypting-the-client-side-local-storage-data-using-angularjs/35740015#35740015 — xSaber, Apr 06 '16 at 09:57

Secure API calls made with AngularJS to a 3rd party API using $resource

0 Answers0