CODEWITHSUNDEEP
web-servicesangularjs
neo-ray
neo-ray

Reputation: 9

Angular REST API security

I have issue with my app when I use Angular to consuming REST API request

The Web Service URLs store in the Angular service or controller js file so if I have Login web service to check usename and password like:

http://mylocal.com/api/service.json?api_user=Username&api_key=Password

The end users or developers can get this url and build a software to try finding the username and password, so how to hide the web services urls in angular js if that possible?

Example:

$scope.submit = function(request) {
        $scope.contactUsSuccess = false;
        $http.post('/_/contactUs' +
                "?firstName=" + encodeURIComponent(request.first) +
                "&lastName=" + encodeURIComponent(request.last) +
                "&email=" + encodeURIComponent(request.email) +
                "&phone=" + encodeURIComponent(request.phone) +
                "&company=" + encodeURIComponent(request.company) +
                "&message=" + encodeURIComponent(request.message)

            ) // Contact us
            .success(function(reply){
                console.log(reply);
                $scope.contactUsSuccess = true;
                $scope.contactUs = "";
            })
            .error(function(){
                alert('There seemed to be a problem with your submission. Please refresh the page and try again.')
            });
    };

You can get the contact url web service and use it, so how can i solve this issue?

Upvotes: 0

Views: 2145

Answers (1)

Steve
Steve

Reputation: 1423

First off this is really bad if you're doing this over HTTP and not HTTPS. Sending this over HTTP sends your credentials in text/plain for anyone to sniff and grab on the network.

I'm assuming they are not using specific firewall rules either.

Because of the REST endpoint you're dealing with, you could initiate the REST call in a few different ways:

  1. Setup an HTTP(S) proxy that has that pre-defined username/password pair in it. That way instead of calling https://someremoteapp.com/user=joe&pass=test you could call /rest
  2. Probably the better option is to setup a back-end forwarder service to work with this API and hide the credentials on the back-end. You can do this using something like PHP, Ruby, Python, Node.JS...
  3. Best option is to ask if they support other security mechanism.

Upvotes: 1

Related Questions