Forum Discussion

Gursimrat's avatar
Gursimrat
Leader
10 years ago

Making secure connection b/w Custom component and Endpoint using AJAX

Hi All,

 

We are calling an endpoint from a custom component using Ajax. It works fine but we have one query - Is there a way we can authenticate the call at the endpoint that it was made from the custom component only? As the Endpoints can be accessed via browser as well, and by passing parameters, anyone can see the data. Is there a way we can fill this gap?

 

e.g.

 

The profile hover endpoint on lithosphere can be hit directly from browser and you just need to change the user id and you will get the respective results.

 

https://community.lithium.com/lithosphere/plugins/custom/lithium/lithosphere2/profilehovercard?user_id=34691

 

This is a simple case, but still, is there a way to authenticate the call inside the Endpoint to verify that the source was the custom component and not the direct browser hit?

    • PaoloT's avatar
      PaoloT
      Lithium Alumni (Retired)
      10 years ago

      Hi Gursimrat

       

      ultimately if you make an AJAX call to any HTTP endpoint from the browser, it means that the endpoint itself must be accessible to the browser by definition. What the browser in question "can / cannot see" depends on who is using that browser, so ultimately I think the best way to secure it is to verify that the user accessing the Studio Endpoint has the right level of access for seeing the content provided by the endpoint.

       

      In the endpoint you can use freemarker code to verify for example whether the user is registered or anonymous, or whether the user in question has a certain role etc... Would this give you enough power to control the access to your endpoint? 

       

      Cheers,