Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to pass apiKey / client secret securely from AngularJS to REST API

So I'm working on a project that I'll provide information feed to specific business partner. There's no login required because the business partner's front-end have to pass an preallocated apiKey along with any request to the my REST API. The api only responds to requests that contain a valid apiKey, and its access level has already been predefined when we generate the apiKey.

Currently I'm using CakePHP, with curl, passing the REST request method, and the hardcoded apiKey as param. Security hasn't been an issue so far. But our team is thinking that, what if our business partner want their website to be done in recently trending JS front-end frame work such as AngularJS.

For the same scenario, such a simple task cannot be done in JS framework. I obviously cannot simply give them the client secret (apiKey) and let them include it in their client side code. Anyone can view the secret and have access to the our REST API.

Now we're talking about security, which my team really do not know much. What are the ways to overcome this issue? How to pass a client secret along with http request from AngularJS, securely, obscurely? Any suggestion or could anyone point out something that I can study into?

I had some ideas though, but they just sound not so right.

  • I'll just put the AngularJS in CakePHP's webroot. That would be a really dirty hack though... Just introduce unnecessary complexity.
  • Generate hash with the a combination of constraints such as Origin Domain / IP / Public Secret and timestamp, and on my API side, I compare the hash and return an access token for each request... something like that...
like image 239
Justin Moh Avatar asked Nov 09 '22 13:11

Justin Moh


1 Answers

There are different options

  • JWT (see my article)
  • OAuth (pick one)
  • A proxy to your API

First two will require an initial authentication request, you'll get a token back that is passed in every future request to your site.

You can create a proxy, the site calls the proxy which then makes another call to the real API and adds your API key.

like image 161
floriank Avatar answered Nov 14 '22 21:11

floriank