52 points

…so allow…either?

What’s so hard about checking two headers (Authorization: and Cookie:) for the authtoken?

permalink
report
reply
33 points

It’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

permalink
report
parent
reply
25 points

Then again, cookie auth is vulnerable to CSRF. Pick your poison.

Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.

permalink
report
parent
reply
9 points

That’s assuming the client wants to make a web app. They may need to connect something else to that API.

It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”.

If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.

permalink
report
parent
reply
8 points
*

Okay.

So make your webpage send the authtoken in a cookie and leave off the Authorization header, and have your third party (presumably native) clients send an Authorization header but not any cookies, and write your server software to check for both.

This seems trivial. What am I missing?

permalink
report
parent
reply
-5 points

The point of the cookies being HttpOnly is that it makes them completely inaccessible to client side JavaScript, making a whole load of session hijack/XSS attacks impossible.

The request for a bearer token here circumvents this protection because then there’s a way for a client to avoid cookies all together, making the API vulnerable again.

permalink
report
parent
reply
41 points

Can a non-programmer get some explanation?

permalink
report
reply
50 points

The short version is that the creators of this API are doing something more secure than what the client wants to do.

A reasonable analogy would be trying to access a building locked by a biometric scanner vs. a guard looking for a piece of paper with a password on it. In the first case, only people entered into the scanner can get in (this is the cookie scenario). In the second case, anyone with a piece of paper with the right password on it will be let in (this is the Bearer token scenario).

More technical version: the API is made more secure because the “HttpOnly” cookie - which, basically, means the cookie’s contents can’t be read with JavaScript in the browser - is used to hold the credentials the server is looking for.

By allowing a third party to access the application, this means you have to allow methods that can be set “client-side” (e.g. via JavaScript in a browser). The most common method is in the “Authorization” HTTP Header - headers are metadata sent along with a request, they include things like the page you’re coming from and cookies associated with the domain. A “Bearer” token is one of the methods specified by the “Authorization” header. It’s usually implemented via passing the authorization credentials prefixed with the word “Bearer” (hence the name) and, often, are static, password-like text.

Basically, because this header has to be settable by a script, that means an attacker/hacker could possibly inject malicious code to steal the tokens because they must, at some point, be accessible.

permalink
report
parent
reply
25 points

HttpOnly cookies can’t be read by javascript, so there’s no way to set the bearer token in the Authorization header.

permalink
report
parent
reply
110 points

You have a very wild fantasy of what a non-programmer is.

permalink
report
parent
reply
21 points

Okay, well have you ever used a dinglehopper?

permalink
report
parent
reply
10 points

An API lets different software talk to each other. HttpOnly uses secure tokens (think password) that a server uses to confirm identity.

Bearer tokens also confirm identity but the added security provided by HttpOnly does not allow passing such within the api information.

permalink
report
parent
reply
15 points

JavaScript is a language that runs on a user’s computer, when they visit a web page. It is often used for dynamic functionality, ie when you click “like” on a comment… JavaScript running in your web browser will make a request to the server letting it know that you liked the post, then the server will respond with a total number of people who liked it or something.

But, the server needs to know how to authenticate which user liked the comment (so you can’t like it twice etc). There are various authentication mechanisms to do this, with their own trade-offs. Over all, there’s secret information that the browser and the server have to share with each other, and we don’t want that information being accessed by the wrong people.

There’s also a common problem with web apps called “cross site scripting”. Basically somebody might craft a cleverly formatted comment that exploits a bug in the web page and causes the attacker’s code to run. One trivial example might be if every time a person read a comment thread, the attackers code caused that person to “like” a request. A more serious exploit would be one that finds out that secret authentication information I mentioned and shares it with the attacker. They can then pose as the victim user and do anything they want as that person. This would be bad.

So, on to the different approaches and their tradeoffs.

  • HttpOnly cookies. Basically when you log in, the server gives your browser a cookie vouching for who you are. Each subsequent request to the server will include this cookie automatically. The browser handles attaching it to the request, and the browser hides it from any JavaScript running on the page. One trade off is that it requires some authentication to happen between the user and the service (ie enter your username and password), to generate the cookie in the first place. This is likely what OP’s customers want to avoid.
  • bearer tokens: basically, when JavaScript code makes a request to the server, it can optionally add some tokens in the request headers and use those to authenticate the user. I’m assuming OP’s scenario involves his company providing a service that is used by another company’s web site. They want to log in the user on their system, then forward some info along to OP’s system describing that user. They can’t just set an HttpOnly cookie for his domain, since it would be private to him; so instead they store a magic token in the browser’s local storage or somewhere and send that on every request. The down side is that JavaScript has to be able to read that token, so it enables that malicious user we talked about to steal it if they exploit some other bug.

Anyhow, one common solution here is to set very short expiration dates on those bearer tokens. That way if somebody steals it, they can’t use it for long.

Another strategy is to limit what each token can do. OP needs to make it so you can like a comment using one of those bearer tokens, but more dangerous actions like purchasing things, deleting content, etc, should be guarded by a more secure mechanism. Then the damage is mitigated if the bearer token leaks.

permalink
report
parent
reply
1 point

Thanks! This was the best explanation I got, I think.

permalink
report
parent
reply
5 points
*

Basically it means that the API calls won’t work in a browser and would only realistically work in things like Python scripts.

If API calls are being handled by JavaScript in the browser, they’re going to run into issues, because the HttpOnly flag means the JavaScript code can’t read the auth token.

Things like Python scripts have no such limitations though, so this can be used in cases where you aren’t expecting an actual browser.

permalink
report
parent
reply
3 points

it’s a security style.

the OG “goat” style says the only things that can request the server are those that get their badges from the server (or some place the server trusts) beforehand.

then comes the client that wants to be able to supply their own badges.

permalink
report
parent
reply
3 points

Get the token from the cookie instead of the Authorization header

permalink
report
reply

Programmer Humor

!programmerhumor@lemmy.ml

Create post

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

  • Posts must be relevant to programming, programmers, or computer science.
  • No NSFW content.
  • Jokes must be in good taste. No hate speech, bigotry, etc.

Community stats

  • 3.6K

    Monthly active users

  • 1.5K

    Posts

  • 35K

    Comments