My plugin is has flows depicted by the diagram below: The requirement is to make the onclick transaction happen after authentication. That is, only if the owner of the domain which contains page.html has registered with my site (for instance www.MyPluginJS.com/register ) can he/she use MyPlugin.js. My registration portal spits out a Client ID after successful reqistration. My question is: What is the best approach I need to use in order to make the onclick transaction secure? What are the other parameters (eg: MD5 fingerprint) I may require to make sure that the transaction happens securely? Are there any existing frameworks (for instance OAuth) that I can leverage on? I need a way to stop people from using MyPlugin.js who haven't registered. I am inexperienced with security techniques but I can manage to code. Thanks in advance :)

Reputation: 891

Which is the best security technique for my javascript plugin

My plugin is has flows depicted by the diagram below:

MyPlugin.js flows

The requirement is to make the onclick transaction happen after authentication. That is, only if the owner of the domain which contains page.html has registered with my site (for instance www.MyPluginJS.com/register) can he/she use MyPlugin.js.

My registration portal spits out a Client ID after successful reqistration.

My question is:

What is the best approach I need to use in order to make the onclick transaction secure?
What are the other parameters (eg: MD5 fingerprint) I may require to make sure that the transaction happens securely?
Are there any existing frameworks (for instance OAuth) that I can leverage on?

I need a way to stop people from using MyPlugin.js who haven't registered.

I am inexperienced with security techniques but I can manage to code.

Thanks in advance :)

Upvotes: 4

Answers (3)

Billy Moon

Reputation: 58601

I think you should use a session created on the server side to ensure the user is logged in. You can then check client side (for user convenience) if the session variable is set, and then validate the session server side (for security) to avoid user tampering with client side code.

You could then use AJAX to load the contents of the plugin page into an iframe. jQuery makes AJAX much easier to manage.

So the simple answer from me is to use server side scripting, and session variables to ensure security, and jQuery and AJAX on the client side for user convenience.

Upvotes: 1

Roberto Linares

Reputation: 2225

By using jQuery, you can take advantage of the function $.getScript(url) to load a javascript file from server-side avoiding the use of <script> tag.

The idea is to point the getScript function to a server-side script that will first validate your user's session and in case the session is valid, it will return your javascript file content to be loaded or a void javascript file otherwise.

Upvotes: 1

Michi

Reputation: 2520

You could serve the JS file using some server side language and add a key/value pair to the request for the js file, pe: MyPlugin.js?key=someValue. Your script could compare the value to some DB table values where you store authorized users.

HTH, Miguel

Upvotes: 1

Which is the best security technique for my javascript plugin

Answers (3)

Related Questions