0

I have to pass a username and a password from one domain to an AngularJS application on another domain.
The server where the Angular app runs, does not support any server-sided scripts (e.g. no PHP).
The only way I can think of (using JS only) is to pass the username and password as GET parameters in the URL. This approach does not seem right and is a security threat.

Is there any other way that I missed to pass the username and password safely to my AngularJS app?

Horen
  • 11,184
  • 11
  • 71
  • 113
  • 1
    You cannot safely pass information purely through a client-sided approach. – Spencer Wieczorek Mar 29 '16 at 15:36
  • if the domain where ng app is running does not have a backend, then why do you even need username and password? – Ji_in_coding Mar 29 '16 at 15:39
  • @Ji_in_coding it talks to an API – Horen Mar 29 '16 at 15:40
  • @Horen if you're using an API that you have no control of, then you'll have to depend on that API for validation. – Calvin Mar 29 '16 at 15:41
  • then it does have a backend. the API can help you validate the information. What you can do is the have the first domain generate some kind of auth token using username and password. pass the auth token to your ng-app, and let the ng-app submit this token to api for validation – Ji_in_coding Mar 29 '16 at 15:41
  • @Ji_in_coding Yes, you're right - but the question remains *How to pass the auth token safely to my app*? – Horen Mar 29 '16 at 15:42
  • @Horen as long as you're passing the GET parameters via HTTPS you should be safe – Calvin Mar 29 '16 at 15:47
  • @Calvin Yes, but it's still not an ideal solution: http://stackoverflow.com/a/323286/1503476 – Horen Mar 29 '16 at 15:53
  • I don't think the safety matters when you are passing a 1 time token. Eg, AppA pass AppB (ngapp) an transparent one time token. AppB authenticates with webapi, and webapi issues another token to AppB. Besides this token is randomly generated from username + timestamp? + someprivatekey? I have done similar things before. I simply used AES256(user+pass+timestamp) using a known secret key between AppA and AppB(in your case it is the webapi) – Ji_in_coding Mar 29 '16 at 16:30

2 Answers2

0

Never trust information sent by the client. Always do your validation again server-side. If you cannot validate it server-side, you cannot trust it.

Rafael Quintanilha
  • 1,413
  • 11
  • 10
0

Try sending it as some sort of an authentication token string that encrypts the username and password and decrypt it when needed in the other domain backend.

You can create your own authentication token string to ensure the flexibility just make sure that the security algorithm you use is robust.

khaled achech
  • 11
  • 2