1

Lets consider the following scenario:

We have an angular js front end which consumes an internal API to get and manipulate data.

We expose this API under /api/internal. However, we don't want this to be publicly accessible, we want it to be accessed only by our front end. To make sure of this, we allow access to the API only with a token passed in the request header: Authorization: Token token=xxx

The problem comes in how we set this token for all requests. We may take an approach like this:

angular.module('myApp').run(function($http) {
  $http.defaults.headers.common.Authorization = 'Token token="xxx"'
})

The problem, of course, is this will be in the client, which means anyone who will inspect the javascript and grep for a Token or Authorization string will be able to find the token and use it to access the data.

There are other security measures in place of course, but focusing on just this issue, I am interested in how it can be approached differently and more safely.

Matei Iorgulescu
  • 618
  • 5
  • 9
  • To overcome this type of issues.. you will need a middleware server. Instead of communicating directly to API from frontend, it will call the middle ware server and that server will transfer the request to your api. This will make your api more secure. If you go for your current approach, you can make it quite secure, If your api server is accepting request from only one IP, that will be your frontend server ip. So if someone has consumed your token, then also it will be no use. Because your API server is responding to your frontend server only. Hope this will help.. – dhavalcengg Jul 22 '14 at 09:32

2 Answers2

1

You may try something like the following:

  1. You may create a sessions table.
  2. Once the session starts (For example a user logs in), save the original token value in sessions and associate it with some encrypted value.
  3. Return to the client this encrypted value, as a token.
  4. Send this encrypted value to the server every time. And access the original token associated with that encrypted value from the sessions table and do the processing.
  5. Once the session comes to an end (such as user logs out), remove the entry from sessions table.

Also the techniques listed at API Token Safety in Angular application and Authentication with AngularJS, session management and security issues with REST Api WS and How to secure my AngularJS and Web Api application may prove useful

Community
  • 1
  • 1
Kamran Ahmed
  • 11,809
  • 23
  • 69
  • 101
0

If you want to use a token, but are worried about the token being reused repeatedly (and thus open to highjacking) you can use nonce tokens. Effectively, each request returns a new token (probably in a header), and each token can only be used once.

Nick
  • 1,822
  • 10
  • 9