Closed lastmjs closed 7 years ago
Yes, putting your credentials client-side is a security risk. There's an assumption with this wrapper that you are ok with those credentials being public. This might be ok in cases like very informal tracking, or where client access is in the hands of trusted users.
For other cases you will likely need to apply other techniques.
Full disclosure, I'm not a security guy. These are things I've seen since working with xAPI. I would be very interested in hearing other techniques for securing client-side content.
Great, that makes sense. I'm working on a unique solution that I'm hoping will open a lot of doors, I'll post back here in the future with what I've got. I think the security issues should be explained in the documentation. The production system that we're switching from uses this library and our credentials are exposed. We didn't know that, and I'm wondering if maybe they didn't know that either. Or perhaps they didn't know it was a problem.
So, here's my solution. I used Scram.js and Express web components to just use the library on my server without modification to the library. It's been working so far!
Very cool. Thanks for letting me know.
Alternatively, we have a way to generate "short lived", "one time" auth tokens with limited permissions, that we call Secure Tokens. Though, it might currently only work with GrassBlade LRS http://www.nextsoftwaresolutions.com/grassblade-lrs-experience-api/
This article explains the feature and what it does: https://nextsoftwaresolutions.zendesk.com/hc/en-us/articles/207000556-Secure-Tokens-A-critical-Data-Safety-feature
Regards,
Pankaj Agrawal
On Tue, May 10, 2016 at 2:47 PM, tom creighton notifications@github.com wrote:
Very cool. Thanks for letting me know.
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/adlnet/xAPIWrapper/issues/66#issuecomment-218103220
We just updated the wrapper to support xAPI Launch. It is another way to keep from adding credentials in your client side code https://github.com/adlnet/xapi-launch
Isn't it a security risk to have the password to your LRS be sent client-side to be used with this library? I'm in the process of using this library to connect to our LRSs, but I'm a little confused at the security. Any insight would be greatly appreciated, thanks!