Passing credentials to service stack rest api through angularJs and $http.get

Question

I have a service stack web service with the CorsFeature enabled.

I am calling a service through AngularJS's $http.get method with the setting withCredentials to true:

$http.get(url,{ withCredentials: true})

How do I securely pass the credentials to be used by the rest api?

Answer 1

On the ServiceStack side you must set your CorsFeature plugin to have allowCredentials = true and set a single origin. You can't have an origin of * when using allowCredentials.

withCredentials basically allows your origin domain and the ServiceStack service endpoint to share cookies, and pass the Authorization HTTP header, (when CORS is correctly configured). So ultimately your credentials could be a session cookie or an Authorization HTTP header.

This Mozilla documentation about CORS is good at explaining how the cross domain withCredentials works.

Because the CORS feature and withCredentials only sets up the ability for the domains to share cookies and pass the Authorization header, and doesn't do the authentication - you will need to find a suitable authentication mechanism.

You can either build your own authentication mechanism, or consider implementing the ServiceStack Authentication provider, which you can read about it here. Essentially you would want to do a post to:

POST server:port/auth/credentials?format=json

{
    "UserName": "admin",
    "Password": "test"
    "RememberMe": true
}

The authentication service would pass back a session cookie, and when you use withCredentials in your later requests, the cookie will be included automatically, and thus your request will authenticate.

To address passing the credentials securely, you will want to use HTTPS to avoid exposing the credentials in transit. This means securing the username and password value, as well as the session token value.

Hope this helps.