Note: While my stack consists of Laravel (4/5) and AngularJS, i don't want this discussion to become a language or framework flame war, let's keep it respectable.
I would love the result of this to become an incredibly helpful blog post & guide.
Hi guys, i'm currently in the throes of (among other things), writing a client-side application to interact with an API (that i control). And there's a few things that confuse me, and i'd love to start an open discussion on the best patterns to use when building client side applications in order to achieve some of the following:
Authenticating for a client-side application.
That means that no information that should not be shown to the user (tokens, application keys) is visible or hard-coded into the javascript or HTML.
Currently, my application uses a cookie to store a user's API key after an initial call to a secure authorisation endpoint, but the idea would be to move to OAuth in the future. Are cookies the way forward?
What is the best way to ensure that only 1st-party mobile/web applications have access to certain 1st party private API methods? for data that can't be processed on the client
Is there anything else that anyone frequently forgets to do when building an API for consumption by a client-side framework, or are there things people often miss when building their first client-side app? I'd love to hear about them.
Code examples are encouraged and appreciated!
We generally serve all API request via a proxy server, which is also handling the initial render of the page. This allows for security to be at the server side. So we make API requests to our sever, which then makes HTTP calls to the third party API, we can then handle sending request headers, and security on the server.
But, we have implemented a client side solution before using crypto-js to handle secure keys (https://code.google.com/p/crypto-js/)