How to use hwcrypto.js check persons use usb-token

Question

I am currently developing a web based signing system use hwcrypto When user plug usb-token device to computer then click button, it prompt select certificate and enter password:

window.hwcrypto.getCertificate({lang: lang, filter: filter})
.then(function(cert) {
    window.hwcrypto.sign(cert, {type: hashtype, hex: hash}, {lang: lang})
    .then(function(signature){
        // call jquery ajax to do some important thing
        $.ajax({
            url: 'index.php?action=very_important_action',
            dataType: 'html',
            success: function(response) {
                console.log(response);
        });
    });
});

It works, but i worry users call ajax function directly not use usb-token. How can I protect that?

Refer to this [SO Answer](https://stackoverflow.com/a/63173083/9659885) for complete documentation of Javascript APIs provided by free Signer.Digital Browser Extension — Bharat Vasant, Aug 02 '22 at 10:34

score 1 · Answer 1 · answered Nov 19 '18 at 10:27

I have a few approaches in mind, but it depends on your implementation -

You can set the usb-token in your local storage, and the page that is being requested has the check that usb-token field should already be available in the local storage.
You can check for every ajax request that is being made, by using $.ajax.beforeSend and check if you have usb-token available.
You can send the token as a query parameter and check in the page that is being requested, that if the parameter containing the token exists or not.

How to use hwcrypto.js check persons use usb-token

1 Answers1