2

I am writing a Web Api (using asp.net Web Api) and naturally want clients to authenticate to use the service.

I was hoping to write a Javascript plugin that would make use of the Api and then make it available to be simply dropped into other web sites.

Is there a secure way I can have the plugin authenticate? I'm not sure how I could keep any information passed to the plugin confidential.

I also want the API to be used by native apps, so does that rule anything making use of cookies?

Thanks

Improve this question

1 Answer 1

Reset to default
4

Is there a secure way I can have the plugin authenticate?

You are going to have to either embed the username/password in your plugin OR have some fields to get that information from the user.

Consider some code if you choose to embed the username/password:

$.ajax({
        url: 'api/foo',
        type: 'GET',
        dataType: 'json',
        success: onSuccess,
        error: onError,
        beforeSend: setHeader
    });

note the assignment of beforeSend to setHeader:

function setHeader(xhr) {    
    xhr.setRequestHeader('Authorization', 'Basic YXBpX3VzZXIxOjEyMzQxMjM0');

}

Note, you will have to pre-calculate the auth string using the method below

Now if you want to pull the username/password from the user you could do this:

function setHeader(xhr) {            
        xhr.setRequestHeader('Authorization', make_base_auth($("#username").val(), $("#password").val()));
}

function make_base_auth(user, password) {
    var tok = user + ':' + password;
    var hash = Base64.encode(tok);
    return "Basic " + hash;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Also use SSL and maybe also bind the username/password and eventually the Auth token to a IP Address range.
am assuming the webapi service is on https
In the question "Is there a secure way I can have the plugin authenticate?" having the webapi on https meets that criteria
But if you have the password in a javascript variable, like in the make_base_auth method, won;t that be visible to anyone observing the page (since they could break points in the javascript etc.)? That is my major concern; without any 'hidden' server side logic nothing can be truly secure, no matter what is sent over the wire.
@user1541517 yes thats true hence giving you the alternative where the username and password must be provided. if you dont want them to do that but you all want it to just work then yes nothing can be truly 'secure' but i dont know what you're trying to acheive exactly. what you can ensure however is that the user 'embedded in the page' is a user with a small number of permissions as possible. If the user became compromised or you didnt want to allow 'anonymous' access anymore you can just delete the user your plugin uses.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.