On Monday, September 17, 2012 11:27:01 PM UTC+1, Dan Milon wrote:
> Hello Community,
> Sorry for going off topic, but I'm sure there are people here who could
> help me. Although most of the stuff described below are build in node,
> my question is more of an architectural one.
> I'm developing a public HTTP backend API for a service. On top of that,
> there is a web app that has users log in, and should use the backend API
> to fulfill user requests. The API supports OAuth2, and the web app is a
> single page app, with loads of javascript.
> My concern is how the browser and the web app should talk with the API.
> I found two possible ways.
> ## Browser directly uses the API
> When the user enters his credentials to log in, the web app passes them
> to the API and is given an OAuth access_token, which is directly passed
> to the browser and stored in some cookie. Then every request to the API
> is made directly from the browser through JSONP. When the user logs out,
> the web app destroys the session.
> ## Browser talks to web app, which talks to the API
> When the user enters his credentials to log in, the web app passes them
> to the API and is given an OAuth access_token. A session is created with
> the User and the access_token is stored in the session. When the browser
> needs to talk to the API, it goes through the web app. The web app uses
> the access token in the session, calls the API, and delivers the
> response to the browser.
> Both ways have pros and cons with performance and security trade offs.
> What do you think?
> Thanks a lot,
> danmilon.
> PS: from what I've seen, twitter uses it's public API directly from the
> browser, but passes session cookies for authentication. That means their
> API also supports cookie sessions?
