I'm using Aura.Auth with PDO for authentication on my small multi-tenant web app. One of the forms uses Jquery autocomplete to do a very simple lookup on a column in the tenant's database (which is a complete separate SQL DB for each tenant). The autocomplete function executes a PHP script that returns the matching column data.
Does anybody have any advice on how to securely pass the logged in user's Aura.Auth credentials to the PHP script using Jquery autocomplete, please?
My current method (built using my beginner skillset) encrypts the user's database credentials into a very long string that is visible within the page source. While this works, as autocomplete passes this encrypted string to the PHP script, which in turn decrypts to view the tenant's DB credentials, it means anybody who manages to copy the encrypted string of another user can log in to my app as themselves, then run queries as the tenant whose DB credentials they've stolen. I know this is a big flaw, so I'm looking for the correct way to do this.
Another method I've since read about would be to create an authentication token that expires, rather than passing an encrypted string of the DB credentials. This also appears insecure to me, as the token can still be stolen and used elsewhere until it expires. Would the correct method be to authenticate using both the token and IP address of the user? If so, what would happen if the user happens to be on a network that has two external IP addresses or happens to have a dynamic external IP that changes mid-session?
Any help is always appreciated!