9

I'm writing a javascript plugin which will be installed by bloggers/website owners. It will communicate with my remote API.

I'm wondering how to secure the API to ensure that only domains owned by users that have registered an account with the service can access resources from the API. I've read up on OAuth2 and understand the basics, but because the plugin will run from within the browser and not from server to server, i'm not sure how secure this can be.

Tons of services like mixpanel, google analytics, olark use the same concept (i.e. website owner install a line of JS on their site) so it must be a solved problem.

cjroebuck
  • 2,273
  • 4
  • 30
  • 46
  • What exactly are you trying to prevent? – SLaks May 15 '12 at 15:29
  • Trying to prevent people from accessing data they shouldn't have access to, e.g. me accessing the google analytics data of a site I don't own or control. Google does this, but how? using OAuth? – cjroebuck May 15 '12 at 15:37
  • No; Google does not do that. The Google Analytics script does not give access to any data. – SLaks May 15 '12 at 15:40
  • To answer your apparent question, you can use any login system. – SLaks May 15 '12 at 15:40

1 Answers1

3

You can insert window.location checks into your script to prevent other people from including it directly off of your servers.

However, it is impossible to prevent people from downloading the scripts locally, removing your protection, then hosting it themselves.

You can require an API key in all server-side requests, but enemies can easily steal API keys from legitimate sites.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • The script would be pretty much useless though without communication with my API. Sorry my question is a bit vague i'm just a little confused how the services I mentioned have gone about implementing this. – cjroebuck May 15 '12 at 15:44
  • None of the services you mentioned can return any information. – SLaks May 15 '12 at 15:46
  • SLaks hit it on the head. GA and Mixpanel widgets only send data, and there's nothing preventing any site from using a given GA key to record data except that they then can't access the data in question (and it's easily filtered for the legitimate user). In the Olark case, data does come back (i.e. messages from the operator), but it's session-specific and not authenticated-user specific, so the same thing applies (I'm an engineer for Olark, and we don't do any sort of URL verification because it would ultimately be useless for the reasons SLaks mentioned). – A. Wilson Jun 15 '12 at 21:30