how to hide or secure the token when passing from javascript to web api 2

Question

I'm using javascript (angularjs) on UI site/project and Web API 2 and other site/project

UI project: localhost/12345
Web API : localhost/98777

UI project is calling the Web API (C#) project passing the token from UI to WebAPI for CRUD requests.

I've generated the token in ServerSide project - WEB API2 (localhost/98777), 1- username / password 2- then the url localhost:/98777/Token, passing username + password + token

wit this way it returns a token if you call it in fiddler: with content-type: application/x-www-form-urlencoded. Like this a token is generated and written to the localDB, later on this generated token can be use in your UI app to call with javascript (ajax/angular) passing to WebAPI project.

I've implemented the bearer token calling the GET/POST/PUT methods in my client site.

localhost/12345 defined in Client site to get employee records via token:
----------------------------------------------
method: 'GET'
contenttype: 'application/json, charset=utf-8',
authorization: "Bearer 040jdU6ry....."
url: localhost/98777/api/employees/

this returns me the data all employees... it works.

localhost/98777 defined in server site web.config:
---------------------------------
<httpProtocol>
 <customHEaders>
   <remove name="Access-Control-Allow-Origin" />
   <add name="Access-Control-Alllow-Origin" value ="*"/>
 <customHeaders>
</httpProtocol>

PROBLEM? The problem is people can do and open Developer tools in IE/Chrome/FF and see the sources of javascript and look at the token. and then execute the code in Fiddler/ composer and add records :(.

so why do I need a token then ????

Can someone advice what part am I missing ? Is it normal that people can see the token?

This app will be used in intranet and used by developers, so I need to secure it maximum...

Answer 1

Is it normal that people can see the token?

Yes, it is normal. As far as I know, the token just holds identity information, as well as some claims the client can not modify. That's the only thing it can be trusted for : Identity.

Server-side you have to check (roles/rights/business rules) that the user corresponding to the token's identity is entitled to perform the requested action.

Never rely on the business rules enforcement of your client-side UI. Always double check server-side and you will be safe.

Answer 2

You can think about following steps,

1. Have a public key
2. Encrypt the key using Time stamp
3. Send the Encrypted key with the Time stamp in header
4. Encrypt the key in the API with the same Time stamp
5. Compare both keys.
6. Check the Time stamp with the system time.