I am building a JavaScript SDK for our API. The API currently requires (2-legged) OAuth authentication. Obviously this isn’t suitable for a JS SDK since the key and secret are in plain site (in the JS code).
Facebook only requires your app id when you init their JS SDK, so I would like to implement something similar (or of similar simplicity). When a developer requests a key we require their app’s domain. I was thinking of detecting the IP address of the submitted domain (for example myclientapp.com has 192.168.0.0 IP). And then authenticating JavaScript requests by confirming the remote hosts IP address matches.
Is this the best/easiest way of doing this?
UPDATE: As Rup pointed out the remote IP will be the client and thus not match the apps URL’s IP. So that’s out. So to reiterate I’m looking for a solution that will allow me to enforce some form of authentication in my JavaScript sdk for my API that can’t be spoofed by someone else (trying to be someone elses app).
Thanks,
Gavin
Authenticate the user instead.
Have the (claimed, but untrustworthy) app id passed into your
init(), jsonp out to your domain, then either:You’ll have control of the user experience during authentication, and can do some human verification of the app id (show the claimed logo, name, etc.).
This does assume that you even have a notion of users, like Facebook does.
*Check cookies, not all browsers accept them in response to ajax requests; but all browsers will send them.