0

I'm building an embeddable javascript library that my users can put into their web apps and serve it to their visitors.

The visitors can engage an action on the library, that triggers some data going back to my server.

How do I authenticate the library without leaking credentials to the visitor? Is an access control list locked to the domain the recommended solution, with no credentials exchanged at all?

I took a look here at this question and it seems to be suggested as an outlandish solution: How can I validate/secure/authenticate a JavaScript-based POST request?

Community
  • 1
  • 1
Jake Blake
  • 517
  • 4
  • 6

1 Answers1

2

If you take a look in other API engines most of them use an API key (Google for example).

I guess, an API Key is just a generated value by the server system, that encondes the credential in a non reversible way.

This together with, for example, the domain of the document host (that can be retrieved by your library reading the host header that is sent when requesting the page) is what can be used for authenticate in your server.

In other words: Encoded credentials (API Key) + domain locked sent by your library to the server.

Dani C.
  • 910
  • 7
  • 16
  • What's the use of the API key if the domain is already authorized on my server? – Jake Blake Oct 10 '12 at 03:14
  • To hide the user credentials to the World. An example could be the MD5 hash of the user name and password. – Dani C. Oct 10 '12 at 09:37
  • But why are user credentials necessary if the domain is already locked to my server? – Jake Blake Oct 10 '12 at 16:07
  • I guess that the idea is a double validation. Also the API key can be useful for encrypt AJAX request using a private key authenticarion like HMAC. – Dani C. Oct 10 '12 at 16:39