Reputation: 21
Securing/Obfuscating JavaScript API requests
I have a page that allows users to watch a YouTube video and automatically receive a reward as soon as the video ends playing. This is done with the Youtube JS API:
pseudocode:
function videoStoppedPlaying() {
requestRewardFromServer(); // currently uses an XMLHttpRequest
}
The problem with this approach is that one could just open the browser console and manually call requestRewardFromServer().
I am already applying obfuscation on the code, but this is like putting a bandage on a hole in a boat; It does not solve the problem.
Edit: So far the only solution that comes close is using timestamps. Even though this is not the ideal solution, I will take the advice to heart and try to further obfuscate the JS code.
Any suggestions?
Upvotes: 1
Views: 1367
Answers (3)
Reputation: 1468
The only solution to control that the user is actually watching the video, besides checking end time - start time vs length of video is to actually check that the user is really watching it. I suppose you have a function that can tell you at what minute of the video (or percentage) the user is. So, you could periodically inform the server via javascript about that: For example, every 5 seconds or every 5% of the video, the client has to send a xmlhttp request to the server to inform it about this. The server will check for a client that it received all requests in the corresponding order (or almost, maybe he rewatched a part of it, you will have to figure out an appropiate algorithm).
It is not easy, it requires some work and it is not quite 100% 'bulletproof'. But, anything related to javascript can still be manipulated locally.
Upvotes: 1
Reputation: 17805
Below are my thoughts on this-
I feel you need to dive into server side for this.
- Set a session variable on the server, such as
video_length= some_length. - From the time the video started, send an ajax request to the server and set some session variable, as
video_started= some_time. - Now, when you call
requestRewardFromServer(), compare thecurrent timewithvideo_start. It needs togreater than or equal tothevideo_length.
If it is satisifes the condition, reward them, or else not. You might say this doesn't guarantee that the full video is watched. Yes, but at least the person trying to spoof has to wait that long.
Upvotes: 1
Reputation: 2866
When getting the reward, store the Youtube video ID so you get at least one reward per video. Of course you have to keep track of the video ID's or else you can pass any string.
To prevent users getting the reward without watching the video you could build some timer such that it would be impossible to get the reward after the time has exceed.
Upvotes: 1
Related Questions
- How do I prevent abuse of my api's by 3rd parties in javascript?
- Securing API requests from Javascript
- How can you secure a JavaScript application's API calls?
- Obfuscation: JS protection
- Securing JavaScript API
- HTML request obfuscation in the event of external APIs with passkeys
- Protect Web API from unauthorized applications
- Encode/obfuscate HTTP parameters
- Ideas on Protecting Web App data sources