How to secure WebAPI application / HTML+JS clients?

Question

I've spent the past week on SO and in books reading about authentication and started to roll out Basic Authentication for my WebAPI so that HTML clients can let users login/register/logout, but Basic Auth doesn't facilitate logging out so I'm back at square one.

Details:

I don't need to let users log in with other services. I don't need facebook or google logins. Just a username/password.
I need users to be able to log in / log out / register from the client application (not the browser).
I don't mind sending credentials over the wire since I'll be using SSL.
Currently there's only one client but there will be others accessing the API, so I'll need to implement something akin to api keys in the future. Maybe this is a separate issue.
I have a RESTish WebAPI that accepts/returns JSON to html/js clients in other domains.
This is for prototyping so I don't need the best possible solution, just something that's good enough for pre-release and has a low time-to-implement.

Where should I start? What would you do, and why? Is Forms Auth an option?

What is your attack scenario? Are you only protecting your server from abusive clients or do you need to protect the user's password from malware on their machine? When registering do you need to make it expensive for non-humans to register large numbers of accounts? — Mike Samuel, Apr 12 '13 at 21:22
It's really hard to answer questions of the form "How do I {secure,harden} X?" without knowing against what you are securing X which is what attack scenarios clarify. — Mike Samuel, Apr 12 '13 at 22:40

score 2 · Accepted Answer · answered Apr 13 '13 at 02:52

In the question you have

I don't mind sending credentials over the wire since I'll be using SSL.

In the comment to the answer you have said

I just don't want users sending plaintext passwords over the wire.

Not sure what exactly you are looking for but Forms Authentication is definitely an option. you can use basic authentication as well but it has a few drawbacks like you mentioned: no logout, etc. You must use HTTPS with basic authentication.

If browser popup is the main concern, you can get around that by preemptively sending the credentials in the very first request. Normally, the first request goes without the Authorization request header. Service responds with a 401 and sends back WWW-Authenticate response header indicating basic scheme. This is when browser pops up the dialog and asks for user id and password, packages it in the basic scheme and sends the Authorization header.

Chris McKee · Answer 2 · 2013-04-22T08:38:05.710

Firstly and more importantly; SSL, SSL SSL It's a very simple step even major sites miss but its damned important (even with SSL's many current hard to exploit flaws).

You can use pretty much any sort of authentication with webapi; basic-auth; credentials; you could look at using OAUTH style authentication (note I say style as the spec is so loosely defined it offers pretty much EVERY option and multiple ways of achieving it).

First and foremost I'd look at WebApi as a choice; have you considered something else? such as http://www.servicestack.net/ which contains a whole range of authentication adapters https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization

Secondly it would be helpful to know what your authenticating and what its authenticating for (private data / uploads / access to some stuff); in order for an answer that contains 'just enough security'.

Forms authentication 'could' be used, and assuming your client is none-browser based you could achieve this by returning login via a service and responding with the formsauthentication token which you would need to keep in some sort of context for the period of use; assuming a timeout is set once the software has finished using the api the user would have to login again next time to reuse it.

As far as the web api / JS-Html frontend goes; to quote myself.

As its a JS app its probably worth taking a quick look at the owasp top 10 in relation to JS

http://erlend.oftedal.no/blog/?blogid=125

A1 - Injection
A2 - Cross Site Scripting (XSS)
A3 - Broken Authentication and Session Management
A4 - Insecure Direct Object References
A5 - Cross Site Request Forgery (CSRF)
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards

Theres a good post on creating a custom authorization filter for WebApi here http://www.west-wind.com/weblog/posts/2013/Apr/18/A-WebAPI-Basic-Authentication-Authorization-Filter (how-to/with code)

Thank you for the detailed response, Chris. The app is already built using WebAPI, so no other option there. I have methods that I can access with JS calls from the client application that need to be restricted to logged in users. The application is just a flashcard app, nothing crazy valuable. I just don't want users sending plaintext passwords over the wire. You said I could use basic auth - this is what I have now but I don't like the browser window popping up and I don't like that I can't let the user log out. — RobVious, Apr 12 '13 at 22:06
You can do basic-auth via js ala http://stackoverflow.com/questions/9692067/jquery-ajax-calls-with-http-basic-authentication this negates the use of the browser window; of course its 'over-the-wire' but your limited in your usage scenario and have taken a relatively basic but important precaution in using SSL. — Chris McKee, Apr 15 '13 at 09:02
This is of course only one suggested route (as in the answer). Forms authentication is possible and could be handled over web-api using Forms Authentication Ticket http://support.microsoft.com/kb/910443 The built in .net stuff from that point in is pretty much the same as MVC http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api — Chris McKee, Apr 15 '13 at 09:07
Basically; if you want the simplest, fastest approach, use what the framework gives you and pick from the multiple options on the security section of the asp.net site ala http://www.asp.net/web-api/overview/security/forms-authentication :D — Chris McKee, Apr 15 '13 at 09:08
Thanks so much Chris. That helps a lot. I went from Basic to Forms and I'm liking it :) — RobVious, Apr 15 '13 at 14:14

How to secure WebAPI application / HTML+JS clients?

2 Answers2