Reputation: 2551
Authentication for my API on separate domain
I am trying to create an API that I can leverage for multiple client applications (web, mobile, etc..) I am hosting the API on Heroku, so the API address will be something like foo.herokuapp.com.
I want to serve all requests through this, but I also want to have a separate web client to interact with it, say, bar.herokuapp.com
Right now, I have authentication over HTTPS using cookies working well on the API's domain, but how do I authenticate requests from the web client (bar.herokuapp.com) to the API (foo.herokuapp.com) since it is on a separate domain?
Upvotes: 2
Views: 286
Answers (1)
Reputation: 14156
If you use cookie based authentication in foo.herokuapp.com you can change the scope of the cookie to be .herokuapp.com this way CORS requests with withCredentials from bar.herokuapp.com will send the cookie.
One problem I see though, is that herokuapp.com is not YOURS. Someone else could create an application in heroku, redirect your users there and stole the cookie. Then they will be able to call your api with the stolen cookie. So, I will strongly recommend you to buy a domain, otherwise do not use this approach.
Another approach that works very well for this case is to use JSON Web Tokens check Cookies vs Tokens.
Upvotes: 2
Related Questions
- How to create an authorization token for remote login for Heroku?
- how to protect my token of API when deploying to Heroku?
- API key does not allow access from IP (Heroku)
- How to config my Heroku app to restrict the access to it's herokuapp.com domain a specific server?
- API subdomain for Heroku app, is it possible?
- Heroku Platform API - OAuth Token for single Heroku application
- Basic HTTP authentication with the Heroku Platform API
- Make api calls to custom heroku domain
- User Authentication Across Multiple Domains
- Heroku app authenticate requests from Cloudmailin