Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to connect to a API with oAuth 1.0a using javascript? [Angular.js]

Currently, I'm working on a web app that requires me to connect to an external API to GET a JSON file.

The API in question that I'm using noun project which requires an Oauth1.0a authentication. Now this project requires me to use Angular.JS to handle JSON data.

But before I can work with the JSON I need to GET it, and this is where things fall apart. I keep getting the following error on my http://localhost:8080/ when I try to connect with the following code.

The error :

> XMLHttpRequest cannot load
> http://api.thenounproject.com/icons/fish&callback=?&oauth_consumer_key=9c70…891xxxx&oauth_version=1.0&oauth_signature=xxxxx6oeQI0p5U%2Br0xxxxxxx%3D.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:8080' is therefore not allowed
> access. The response had HTTP status code 403.
> Blockquote

The code :

var oAuth = OAuth({
  consumer: {
    public: '9c704cb01xxxxxxxxx',
    secret: '45b7a8d86xxxxxxxxx'
  },
  signature_method: 'HMAC-SHA1'
});

var app = angular.module('nounProject', []);

app.controller('apiController', function(){
  console.log("check");

  var request_data = {
      url: 'http://api.thenounproject.com/icons/fish&callback=?',
      method: 'GET'
  };

  // var token = {
  //   public: 'f5fa91bedfd5xxxxxxxxxx',
  //   secret: '84228963d5e8xxxxxxxxxx'
  // };

  $.ajax({
      url: request_data.url,
      type: request_data.method,
      data: oAuth.authorize(request_data)
  }).done(function(data) {
      console.log(data);
  });

});

The library I use to access OAuth in JavaScript is the following: https://github.com/ddo/oauth-1.0a#client-side-usage-caution (by DDO)

Can anyone guide me in the right direction, or has a better way to OAuth connect to an API with Angular.JS?

Thanks in advance!

like image 535
DennisL Avatar asked Dec 18 '14 17:12

DennisL


2 Answers

The right way is client <-> server <-> oauth services

All the oauth steps should be in your server side.

Why? The simple answer is you can't hide your secret consumer/token at your client side.

like image 93
Ddo Avatar answered Nov 20 '22 10:11

Ddo


I was having the same problem with getting client-side to work, the original is here No Authentication Pop up with Tumblr Like <a> link: but I'll just repost it for ease..

Found an answer!

So let me break it down for you all.. I am just going to run down all the issues and caveats that were discovered while I was hacking away at the Tumblr API. In most cases you will not find any of these answers on the inter webs. If you do, they most likely will just be my answers to my own questions that I posted to the Forums.

A Tumblr Application is defined by any page template either hosted by Tumblr or not that will be using the Tumblr API. Applications must be registered with Tumblr at: https://www.tumblr.com/oauth/apps

All Tumblr Applications upon creation are given a set of keys for accessing the Tumblr API. OAuth Consumer Key aka API Key Secret Key

The Tumblr API is divided mainly into two different types of methods. The third being “Tagged” which is for pulling tagged posts from the Blog or the User.

“Blog Methods” which only require the submission of the Consumer Key. “User Methods” which require a full OAuth signed request which meets the OAuth 1.0a Protocol. The “User Likes” returns a maximum of 50 records at a time. This is not documented in the Tumblr API docs.

Currently the Tumblr API documentation directs developers to use one of the many open source API clients. However, all these clients seem to be Server Side applications. For providers, such as Tumblr, which support only OAuth1 or OAuth2 with Explicit Grant, the authentication flow needs to be signed with a secret key that may not be exposed in the browser.

HelloJS gets round this problem by the use of an intermediary webservice defined by oauth_proxy. This service looks up the secret from a database and performs the handshake required to provision an access_token. In the case of OAuth1, the webservice also signs subsequent API requests.

HelloJS - http://adodson.com/hello.js/ is the only client-side Oauth library that was available and free. There are many services out there that charge on a per-api hit basis to serve as a proxy. The HelloJS OAuth Proxy is available at: https://auth-server.herokuapp.com/

Login to the OAuth Proxy is done using one of the following social account credentials: Google, Windows Live, Facebook, or Yahoo. OAuth Proxy serves as a secure “man in the middle” allowing for the “Secret Key” to be securely stored while still allowing for Client-Side OAuth authentication.

HelloJS features a special Tumblr Module - http://adodson.com/hello.js/demos/tumblr.html

HelloJS utilizes the new Javascript Promises asynchronous functions specification - https://www.promisejs.org/

Javascript Promises have some unique rules when it comes to passing objects received from an asynchronous AJAX call. With everything is done in the callback. What jQuery calls a promise is in fact totally different to what everyone else calls a promise. Hope this helps for future Tumblr integrations.

John

like image 23
John Drefahl Avatar answered Nov 20 '22 12:11

John Drefahl