Reputation: 1421
I have a service stack web service with the CorsFeature enabled.
I am calling a service through AngularJS's $http.get method with the setting withCredentials to true:
$http.get(url,{ withCredentials: true})
How do I securely pass the credentials to be used by the rest api?
Upvotes: 4
Views: 3319
Reputation: 21521
On the ServiceStack side you must set your CorsFeature
plugin to have allowCredentials = true
and set a single origin. You can't have an origin of * when using allowCredentials
.
withCredentials
basically allows your origin domain and the ServiceStack service endpoint to share cookies, and pass the Authorization
HTTP header, (when CORS is correctly configured). So ultimately your credentials could be a session cookie or an Authorization
HTTP header.
This Mozilla documentation about CORS is good at explaining how the cross domain withCredentials
works.
Because the CORS feature and withCredentials
only sets up the ability for the domains to share cookies and pass the Authorization
header, and doesn't do the authentication - you will need to find a suitable authentication mechanism.
You can either build your own authentication mechanism, or consider implementing the ServiceStack Authentication provider, which you can read about it here. Essentially you would want to do a post to:
POST server:port/auth/credentials?format=json
{
"UserName": "admin",
"Password": "test"
"RememberMe": true
}
The authentication service would pass back a session cookie, and when you use withCredentials
in your later requests, the cookie will be included automatically, and thus your request will authenticate.
To address passing the credentials securely, you will want to use HTTPS to avoid exposing the credentials in transit. This means securing the username and password value, as well as the session token value.
Hope this helps.
Upvotes: 4