Reputation: 1845
How to accomplish a secure authentication in Javascript API
We are trying to develop an API for our service and we are doubting in how to accomplish the authentication process. Our clients have to be able to include a .js file which connects with our Node.js server. The key point here is that our backend must track the use of the API so our clients are going to be charged according to its use.
Our intention is to design the API as simple as possible for the users, as well as making it secure. We have thought of:
Creating an API_KEY for each user and matching it with their domains in every request. Problem here could be that the domain is not the most secure option, isn't it? We understand that the domain may be supplanted in an HTTP request.
Using a SDK with an API_KEY and SECRET_KEY to generate a token for a given session and user. I don't dislike at all this option but we would prefer a simpler solution for the developers, which would not imply using several APIs.
Do you have any ideas/suggestion/considerations/whatever?
Thanks in advance.
Upvotes: 5
Views: 2618
Answers (1)
Reputation: 1226
I like your second option best. In addition to an API_KEY and SECRET_KEY you can do a number of other things.
First of all make sure all requests are done through HTTPs. It is the single most important security feature you can add... and its easy to do.
Second if you want to make things super secure send a timestamp from the client. This timestamp can be used to hash the SECRET_KEY providing you protection against someone recreating data.
Your client would send the following with every request:
1) timestamp - you would store this in your database and reject any new requests with a smaller number
2) API_KEY - essentially a userID
3) signature - this is a hash of the SECRET_KEY, timestamp, and API_KEY. (The hashing algorithm and order of parameters is generally unimportant. SHA1 is pretty decent) Your server can calculate this hash to validate that this client actually knows the SECRET_KEY. At no time should your client ever disclose the SECRET_KEY to anyone.
You can also look into the OAuth standard. I believe NodeJS and Javascript in general both have libraries for it. NodeJS OAuth Provider
Upvotes: 3
Related Questions
- Securing API requests from Javascript
- How to provide a secure authorization with ajax?
- How to safeguard credentials when doing authenication for a javascript/jQuery API client?
- RESTful security authorization
- Securing JavaScript API
- REST API: Securely Handle Authentication in a Javascript SPA
- Authentication between client-side JavaScript application and Server Side HTTP API?
- Authentication model of a javascript app using ajax
- Javascript Calling a Rest API with App Name and App Password - How Can i Secure it
- Security in Javascript API