On Wed, Sep 19, 2012 at 2:08 AM, Dan Milon <
danm...@gmail.com> wrote:
> Peter, I thought of using OAuth straight from the browser, but I have
> some security concerns. The access token will be accessibly by all
> javascript running on the page.
Are you planning on executing untrusted javascript on this page? if so
might i advise against that? If not does it really matter that all of
your trusted code can get to that info?
That being said, i think you could scope the visibility of the token
to just the api access layer. Consider the following pattern:
ApiClient = function(oauthToken) {
this.doThingWithApi = function() {
// use enclosed variable oauthToken to authenticate requests
}
}
// your code
api = new ApiClient(resolveUserCredsToOauthToken('alice', 'secretpwd'))
api.doThingWithApi()
This approach allows you to make the token available to functions
defined in the lexical scope of the ApiClient function but hide it
from the rest of the code.
Peter
barelyenough.org