Securing a JavaScript-only client to access remote API - 【StackMirror】|javascript|api|authentication|remoteapi

Perhaps I'm asking for something impossible, but here we go: I'm trying to find a way to authenticate client requests to an API, but some clients can only use JavaScript to send their requests (they use hosted services which don't allow to write a single line of server-side code). This means that any API Key, secret or hash has to be handled by JavaScript, effectively making them useless.

I've seen some APIs using a heavily obfuscated code, but, in my opinion, such approach gives a false sense of security (it can be easily read with JavaScript Beautifier). Is there any better approach?

Thanks in advance for all the answers.

2012-04-05 20:51
by Diego

If the client goes through an ordinary authentication process (with https of course), and a session is established, then ajax API accesses will be secure. Isn't that good enough - Pointy 2012-04-05 20:53

@Pointy The issue is that the client would still have to authenticate, somehow, and this means passing credentials (via JavaScript, once again), which would be in plain text. Authentication won't require any user interaction - Diego 2012-04-05 21:06

@Diego yes I misunderstood the situation a little when I first read it. If there's no user-supplied "secrets" involved, and the JavaScript has to authenticate automatically, then there's really nothing you can do to hide stuff - Pointy 2012-04-05 21:08

Is your actual server has an authentication system? Token based or cookie based... Or is it a completely public API without any authentication - Murat Çorlu 2015-06-24 22:46

Oh, question is 3 years old! Time flies. - Murat Çorlu 2015-06-24 22:49

No, JavaScript is open, which means zero security.

The most sensible thing to do is proxy the API through a server you own, then get people to sign up to the server with their keys.

This means even though they can't have any server-side code, it's ok, because your hosting the server for them.

2012-04-05 20:53
by Raynos

Yes, JavaScript is open, but even a single-page all-JavaScript site can use ordinary authentication techniques to establish a secure session. Of course if this is some kind of JSONP thing, then yes it's not possible to keep the security information secret - Pointy 2012-04-05 20:54

@Pointy true, but that requires a server, he doesn't have on - Raynos 2012-04-05 20:57

Ah OK I just re-read that first paragraph; I misunderstood at first - Pointy 2012-04-05 20:58

@Raynos I was thinking of putting a "server in the middle", but I'm still wondering how would clients authenticate to it. The JavaScript would still contain the authentication to the proxy, which would be visible - Diego 2012-04-05 21:08

@Diego IP whitelist : - Raynos 2012-04-05 21:15

@Raynos No can do, unfortunately. As I replied to Hexxagonal, JavaScript will run on clients' browser, therefore I can't predict their IP addresses - Diego 2012-04-05 21:16

then it cant be don - Raynos 2012-04-05 21:18

There really isn't a way to do this entirely with JavaScript. The only option I have ever used is limiting by IP addresses or some other form of authentication for the JavaScript clients. After authentication/authorization then pass them over HTTPS their secret key that only remains with the client for a bit (i.e. not stored anywhere).

The disadvantage is that a smart, malicious user could pretty easily debug into the JavaScript and ascertain this key.

2012-04-05 20:56
by scottheckel

Thanks for your suggestion. Unfortunately, JavaScript will run on clients' browser, therefore I can't predict the IP and filter it. Regarding HTTPS, it won't help in this case, as all requests would be send uniquely via JavaScript and, therefore, visible to anyone. As you confirmed, there isn't a way to do it with JavaScript only, which confirms my ideas - Diego 2012-04-05 21:14