Using uniform authentication for API and Web - javascript

tech stack
Ruby on Rails
RESTful JSON API
Backbone + Handlebar templates + Underscore + JQuery
OAuth2
I am working on a webapp where I would like all the communication between the browser and controller via JSON RESTful API. I would also like to use the same API for different client apps like mobile and desktop apps.
I am considering the OAuth authentication mechanism for API. This fits in perfectly with Desktop and Mobile app. However if I would use the OAuth for front end too; then that basically means that an end user would be issued an access_token and that would be used to make subsequent requests.
Is there a clean way to handle session timeouts ONLY in webapp while using the same oauth token strategy for Authentication without having to wrap it with a separate persistent session?
Are there any good practices or frameworks that allows us to expose API for client as well as webapp consumption while catering to the specific nuances of each?
I know Foursquare currently uses the OAuth API for both clients and web; but curious as to how they handle authentication with that?
Any help with ideas and implementation would be much appreciated.

Related

Secure REST API + frontend web-app without user authentication

I have a database with API written in Python (Flask). I want to build a frontend which makes requests to API and display data. But I want to control the access to the API.
I couldn't implement authorization because my web app is a public client type (according to Oauth RFC) -- so there is no way to store credentials securely to authenticate the app. And I don't need user authentication (the web app is a simple catalog with interactive filters and cart).
So I need somehow to protect JS-code (uglifying/obfuscating is not enough, because I have ajax requests with URIs) or rebuild the whole web app in some way to hide ajax requests and secure the API.
Does anybody has any ideas and hints how is it possible to secure API + frontend web-app without user authentication?
It should be trivial because there're a lot of products catalogs which work in interactive manner like tesco and its filtering mechanism. But I don't understand how.
Could you give a hint?
The previous question REST API: user-agent-based client (app) authorization

Accessing DynamoDB from client side using javascript?

I am developing an HTML5 mobile application which I am planning to port to Android also using Phonegap. I want to use AWS DynamoDB for storing my users data. I know that amazon has a http api but it is too complicated. Some of my queries are
If I use the HTTP api, wouldn't it expose my credentials? (Same qquery for dynode)
What are the alternatives? I have a EC2 instance so hosting a server is not a problem.
I would appreciate your suggestions on this.
If you connect directly from your phone application, to dynamodb, you will risk exposing your credentials.
The general way to handle this is to have a json REST api through which the phone application can authenticate and make requests to the datastore. Your application would communicate with this api.
In this case, each user would likely have its own authentication to your server application.

External Private API Authentication with Backbone

I am building an API and had questions about handling authentication when using a front-end framework such as Backbone.js.
I have a single API server that is responsible for returning and modifying data based on RESTful web requests.
I have another app server that is a Backbone application. I want this application to connect directly with my API server, so set the entire project up so that this app server can make cross-domain AJAX requests to the API server.
There are some API routes that I do not want unauthorized parties to obtain access to. For example, I have a path /users that lists all the users of my app. I need this path later on for admin functions, but I don't want it publicly available to my app server.
What is a good authentication scheme to use? OAuth won't work because the secret token would be exposed on the front-end. And after that, I'm a little stuck with what my options are. Does anyone have any suggestions moving forward?
In cases like these I use a combination of techniques.
-- Good ole Cookie based auth
As a backbone app will always be used inside a browser and browsers have built-in cookie support, I would suggest that you should accept cookie based sessions on the server side. All the auth related stuff will be handled by the browser and you don't have to worry about storing keys etc. On top many libraries like (NSURL in iPhone) and frameworks (like PhoneGap/Trigger) all support cookies so woha you can support all kind of clients with litte work.
-- Plain API Key
For third-parties, I use api-key based authentication. You provide username and password, I provide key. You send me that key every time in HTTP header for all subsequent requests. I use the key to identify you and then allow/disallow actions accordingly.
I assume once you can authenticate a user (wait..who are you?), then you can setup authorizations ( you say Micheal ? ...ok you can access /users )
Also take a look at my backbone-parse plugin for an idea on how to authenticate users against an external API service #shamelessplug

Signing webservices api calls with javascript

I'm looking for a nice pattern that woud help me to fully sign my api calls with javascript (here for some example, vimeo) after some oauth connect retrieved authorization identifiers.
Using ruby with omniauth, what I'm looking for would be to retrieve the url that gets called when you do a ModelName.{generateTokenMethod}.request(:get,{url})
It is possible. There are a handful of oauth 1.0a libraries for javascript (You could try looking at some node.js code as an example).
The problem with using oauth in client-side javascript is that it will expose your client secret to anyone using your web service.
Anyone who has your client secret can make requests on behalf of your application, and lure users into generating access tokens by masquerading as your application.

Retain authentication via JavaScript client?

I have a WCF application where I make JavaScript calls to. I want to secure the web services so you have to be logged in to use it. This is easy if I have a server-side application making the requests to the WCF. If I am using a pure JavaScript / jQuery client-side app, I can authenticate fine by passing the credentials as JSON parameter, but how do I keep that client-side app logged in from that point on? Do I store a cookie? I do not want to store the credentials in the cookie of course because that is not secure. So how can I achieve this without introducing another server-side application to the mix? How do web apps achieve this?
OAuth is kind of the go to solution for JS API's. Netflix, Yelp, Facebook etc. use this.
Here is an article on OAuth in WCF
And here is a pretty well known library for doing auth in .NET: DotNetOpenAuth
If you use or are using ASP.Net form authentication (WCF should be running in ASP.Net compatibility mode) then there is not much to do.
If you set the form authentication ticket\cookie after your initial authentication, the cookie would be attached to every subsequent request from the browser without you writing any code. All future calls to WCF service then can be authenticated on the server using the standard ASP.Net authentication pipeline.

Categories

Resources