Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How is secure passing a Bearer Token from two web application using query string?

Tags:

javascript

security

api

I have two web applications (prototype) hosted on two sub-domains, example:

1) A CMS (done in PHP) at cms.mydomain.com.

2) A SPA - Singe page web application (done in JavaScript) at spa.mydomain.com.

My User case:

User can access CMS app and authenticate using Username and Password.

After authentication is successfully completed a web page with some items is presented on CMS app.

User can select an item and than open on a new window with SPA application.

At the moment, after authentication is completed in CMS app a Bearer Token is created, we are passing the TOKEN to the SPA app as query string in order to authenticate the User.

SPA app JavaScript retrieves the query string and other additional parameters and execute API call in order to function.

Notes:

  • We are using HTTPS on both applications.
  • SPA application can be accessed only after authentication in CMS.
  • SPA application which receive the token is on an .HTML file and API calls are made using JS only.
  • Bearer Token has validity of 14 days.
  • The token give full access to SPA application.
  • The token could be passed from CMD to SPA using also JS.
  • Tokens are generated by a third application api.mysite.com.

I am aware that TOKEN in query strings could be unsecured because:

  • URLs with their query strings parameters are saved in web server log, and access to them could compromise security.

  • Third party application like Google Analytic could store in their report such URLs and query string.

I would like to know your opinion on:

  • What could be a safe way to pass the token from CMS to APP without using query string?
  • I am thinking if Window.postMessage() could be used in CMS to send the token as message to SPA. Do you see any security issue with this approach?
  • What other risk I could encounter if using query strings (I need to convince my team query string is not a good approach - if true :) )?
  • Could you point me out some additional resource or guidelines?

Thanks for your time.

like image 397
GibboK Avatar asked Nov 09 '22 14:11

GibboK

1 Answers

You could perhaps create a one-time access token to the SPA rather than sending the original bearer token as the query string.

This token could then be sent to the API, decoded and used to create the real auth token, but would have the advantage of only being valid once. Now you no longer need to worry about server logs, GA, etc. I suppose it's a form of redirection to alleviate those concerns.

like image 189
aw04 Avatar answered Nov 15 '22 12:11

aw04
Sign in to Comment

Related questions

How do I pass a literal forward slash into Node.js in Git Bash for Windows?
Javascript - Infinite scroll JSON array?
Gulp Git run first commit task then push task
Heroku Mixed content HTTPS/HTTP issue
Any easy way to target an element with onload within that onload?
condition met ngShow AND ngHide
Where should I Compose Complex Asynchronous Flows in Redux?
Set filename when downloading a file through javascript
Can we access $provide inside a decorator in Angular JS?
amazon dynamodb fiter expression return error
Uncaught TypeError: Cannot read property 'ca' of null when dragging Google Map
Unit testing multiple asynchronous calls that return promises with Mocha
Send two lists by Json and Get it from Array on JavaScript
How can I see how many people are checked in somewhere via the FourSquare API?
How do I make a recursive scraper with javascript?
Alternative to window.open
How to get the formatting of a Cell using Office.js
Ignore self-signed SSL certificate in fetch
How to take two consecutive input with the readline module of node.js?
What is the least ugly way to force Backbone.sync updates to use POST instead of PUT?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!