Hey guys.
If I am not mistaken an API that outputs JSON can be called from Javascript and the request IP
being the one from the user’s PC. How one would go about securing this and providing access
to the API, besides having to authenticate users like FB does.
S.
I’ve asked this question a few times and researched it and the bottom line is really can’t. The only way to do so is to authenticate users and limit what they can do based on their role or permissions. It sucks, but if you don’t want huge security holes, its the way it is. To that end, its not possible to have a rest API accessed with JavaScript using authentication secrets, password, etc. Since, anyone can just browse the code and see them. I would like to make my own model layer directly accessible through JavaScript, but there is no great way to do it, without having model methods check permissions.
Thanks oddz. Seems authentication is the only way.