Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API requests via JavaScript with use of bearer token? #253

Closed
devEngine opened this issue Jun 20, 2017 · 5 comments
Closed

API requests via JavaScript with use of bearer token? #253

devEngine opened this issue Jun 20, 2017 · 5 comments
Labels
question

Comments

@devEngine
Copy link

Hello,

I am aware of issues #64, #221, and the like and I understand that reading through these and other threads that a JS approach to querying the Fusion API has been left aside so as not to expose client id and secret, etc. (at least in part for these reasons).

Per suggestions given, I have thus far built out a python back-end by which I store my credentials on the server but can save my bearer token as a cookie. I was thinking it would be more practical to issue API requests directly from the client (using the bearer token saved client-side) but I was just wondering:

a). Is there any way to do this (with my bearer token ready) or is that just going to give me a CORS issue and
b). is the idea to also keep the bearer token secret (or does that get matched with client-specific details on Yelp's end so that it doesn't matter if it gets exposed)?

Any input/suggestions would be appreciated.

Thanks!
@tomelm
Copy link
Contributor

tomelm commented Jun 20, 2017

The idea is that you should keep the bearer token secret, that's what gives you access to the API and if that gets leaked someone could make requests that count against your quota.

If you try to make ajax requests using CORS your request will likely fail due to the different origins.

@devEngine
Copy link
Author

Thanks - that had occurred to me, but I was hoping perhaps there might have been a work around this - like bearer token + permissioned app of some sort.

@builderLabs
Copy link

builderLabs commented Jun 22, 2017
edited
Loading

Just a suggestion here - I have put together some notes on querying Fusion using JavaScript/frontend approach.

Beyond this, however, exposure of the bearer token is something which could be neutralized if an authorized origin + bearer token approach was enforced, like Google does with OAuth 2.0.

I detail this in some notes I just posted:

Yelp-Fusion-Frontend

Hope you find it useful.

@devEngine
Copy link
Author

Nice!!! Very handy, indeed.

Maybe that's what might be needed - to check the token along with the requesting origin. Re-opening to call attention to this issue.

@devEngine devEngine reopened this Jun 23, 2017
@yijiaow yijiaow mentioned this issue Jul 30, 2017
Closed
@Yazooof Yazooof mentioned this issue Aug 15, 2017
Closed
@watterso
Copy link
Contributor

Closing as dupe of CORS issue (#64)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tomelm @mittonk @watterso @builderLabs @devEngine