HMAC in client side JavaScript and identity spoofing

StackOverflow https://stackoverflow.com/questions/18105285

  •  23-06-2022
  •  | 
  •  

Question

CryptoJS has functions to create HMAC from a message and the secret key.

How can this be secure considering that the secret key must be stored in plain sight in the JavaScript source deployed on the client ?

Anyone can take the key and issue similar requests to the server under the identity of the original client of the API. Isn't "identity" the problem that HMAC is supposed to solve ?

All in all, I do not understand the purpose of HMAC in client side JS since the key can't be kept secret.

Is there a use case to computing HMAC in JavaScript ?

Was it helpful?

Solution

JavaScript now has WebRTC where two clients can communicate peer-to-peer, this would be a scenario where clients can generate and use their own "secret".

There are some cases where client -> server could be usable as well. If your server was "dynamically" serving the JavaScript then it could insert a "secret" based on the clients current session/login. Assuming you are using HTTPS (if not there could be a man in the middle slurping up the "secret") then it's not unreasonable to assume that communication to the server signed with that specific "secret" (even over unsecured HTTP) belongs to only that client.

OTHER TIPS

How can this be secure considering that the secret key must be stored in plain sight in the JavaScript source deployed on the client ?

Each client should get their own key/secret which enables them access to the resources they are supposed to have access to. This is effectively no different than a user knowing their own username and password. Their user/pass combo only allows access to the resources they need. The same should go for the key pair.

Anyone can take the key and issue similar requests to the server under the identity of the original client of the API. Isn't "identity" the problem that HMAC is supposed to solve ?

Yes, of course if someone gets your key and secret they can issue requests as if they came from you. Simply don't give out your secret to others. Having it in JavaScript doesn't matter at all. Sure, the user can see it but unless they take that key and secret and put it somewhere else, it isn't a problem.

I have a system where a user logs in through normal means (username/password, OAuth, OpenID, etc.) and is immediately issued a key/secret for making API calls. The client-side application uses this key/secret to actually do its work. The issuance of this key/secret is done over HTTPS. I wanted to use HMAC for my API since I wanted the user to be able to pre-sign requests to be used in the open. This method enables me to keep HMAC for the usual administrative GUI as well.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top