0

I have an AngularJS application (using ASP.NET Web API as the backend) that does not require the user to authenticate (the application has no login). I want to make sure that the REST API methods the AngularJS application invokes can only be invoked from the application. I obviously cannot use token based authentication for that.

If doing nothing special the REST API methods can be invoked freely using the browsers address bar or by writing a desktop application that invokes them. The same-origin policy is only regarded if a browser invokes an API method by a HTML page coming from a site having another origin. The REST API is therefore open to the public and easily hackable.

I wonder what I could do to securely restrict the access to the REST API. Any ideas or experience?

Edit 1: I found an easy solution for my problem: I just check if the host of the URL referrer is the same as the host of the requested URL. Using ASP.NET Web API the code the REST API actions use is:

private bool ApiCallIsAllowed()
{
   var request = HttpContext.Current.Request;
   return (request.UrlReferrer != null && 
      request.UrlReferrer.Host == request.Url.Host);
}

I am just not 100% sure if I always get the URL referrer.

Edit 2: According to this question the URL referrer ist not reliable. Bummer.

Improve this question
2
  • Are you hosting the API and AngularJS on the same application on IIS? Commented Sep 23, 2014 at 9:21
  • Yes. It's the same (SPA) application on the IIS. Commented Sep 23, 2014 at 12:51

1 Answer 1

Reset to default
1
  1. use ssh - that's obvious :)
  2. login process should generate token - write it as a cooke - every http request will use it in header
  3. prepare rest interceptor that will read your token and authorize every request
  4. use some Javascript Obfuscator

Don't forget to invalidate session ;).

you can use spring-security or other framework to simplify this process

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

The idea with the token seems to be the obvious one. I was only thinking that the token would be visible in JavaScript code. But the obfuscator might do the trick.
Token is unique and valid only per session. Don't mater if anuthenticated user know token - it's his right. He can work only with rest's. Angular is only GUI. No bussiness logic inside. After his session token is invalid. Obfuscator wont change your data.
But as I stated in my question: I do not have a login. Hence I have no user-related token. I could use a token of course without a login but this would then be the same for any request. That is why the visibility of the token matters.
So you should use token generated as a public key, and check it with private stored at your server side check it. How do you want to send token to your client?
That is the problem. If the client gets the token via a REST API call everyone who can read JavaScript knows how to get a token. Not very secure. But after many discussions I think the only solution for a secure REST API is to have a login and use OAuth or similar. I accept your answer anyway because it's the best I got :-)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.