Why not allow JS applications calls webservice methods?

Recently I created a topic of discussion on the better way to make a call to a service with authentication from the client (JS) https://community.elgg.org/discussion/view/2148088/better-way-to-call-a-webservice-api-method-from-client

I not found a better solution, so I made a change in web_services plugin for it to check if the request came from a logged in user . Thus I can make calls from my Angular controller without the need to inform an authentication token int the request.

The solution is in:

https://github.com/gcaldeira/Elgg/commit/1a5fc103afb0d7116d7bf67912c0e18a48fcf343

I would like to know the opinion of the other developers about this solution

  • I think you may be confusing web services with regular ajax callbacks

  • I am not sure web-services are meant to originate from the same server, so there shouldn't be any shared sessions/cookies.

    I can see however how this could be useful, when working with client side services. I think what you should do is implement another PAM handler that will check the origin of the request and the cookie (perhaps sign it with a HMAC key).

  • @Beck24 I just want to make a centralized entry point to use this both in client JS app an other externals apps...

    @ihayredinov do you have an example that can help me?

  • Hi, 

    I am developing an angularjs client to login with elgg webservice. I think is a good idea because, if you need a custom client like me, and all the features of elgg, this is the simplest way you can do it, like a traditional REST client. 

  • Here's the PR you made. Like I said, the cleaner way is to register the existing pam_auth_session() handler that the plugin already provides. As for why this shouldn't be used for production, I'm not sure. It doesn't seem like a security risk and it seems valuable to have 1 API for handling both webservice and ajax calls...