time limited signature token

[joshp23]

I've been playing around with this code, and I am having some trouble trying to work in the time limited signature token mentioned here. I have been assuming that simply adding in something like this

if (credentials) {
      if (credentials.timestamp) {
        auth.signature = credentials.signature;
        auth.timestamp = credentials.timestamp;
      } else if (credentials.signature) {
        auth.signature = credentials.signature;
      } else {
        auth.password = credentials.password;
        auth.username = credentials.username;
      }
    }

would work, but it returns nothing but errors.

Assuming my md55 script is working, does this seem correct to you? Should this work?

[neocotic]

I've not used YOURLS for a while now but based on their documentation that should work.

What errors are you getting exactly? JS? Network? HTTP? Other?

[neocotic]

Out of curiosity; how are you generating the timestamp? I noticed that in the official docs it covers using the PHP time function. I don't know if this could be your issue but this function returns the number of seconds since Unix Epoch, unlike the [JavaScript Date.now function|https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now] which returns the number of milliseconds since Unix Epoch.

I believe that the md5 sum should be a concatenation of the generated timestamp and the signature token, in that order.

I still need the information mentioned in my previous comment to help you further but, I'm on my lunch break, so thought I'd quickly comment on this while I remembered.

[joshp23]

your comment helped me figure out my error. what I needed was this (using blueimp's MD5 script)

function time() {
	var timestamp = Math.floor(new Date().getTime() / 1000)
	return timestamp;
	}
function hkey() {
	var con = time() + '' + api_key;
	hash = md5(con);
	return hash;
	}

This should work with the adjustment to yourls-api.js now. That works effectively to generate the correct signature: hkey() and timestamp: time() with an ajax GET, resulting in a positive return.

I think that it is important to keep login credentials and api keys from being sent in plaintext.

Expect a pull request soon, and thank you for pointing out this apparently simple and obvious oversight.

[neocotic]

I'm glad that I was able to help you.

The issue relating to the credentials being sent in clear text is actually out of my control as it's the only means of authenticating with the YOURLS API. It is also the reason that I moved away from using YOURLS myself. The safest way of using it is with the signature token, especially when time-limited, however, you still have to be careful of where the signature token is being exposed. Best bet is for the server to pass the md5 sum and timestamp to the frontend and then for the frontend to use those to connect. If you're calculating the md5 sum on the frontend, then your signature token is probably already exposed.

Obviously, if you're on a secure server wanting to connect to a secure YOURLS server, it would be great to send that credentials in the request body, but JSONP only supports GET requests by design so all data is visible in the URL. I have considered adding support for plain JSON XHR requests in the past and might revisit that if it helps. Not sure it would though unless YOURLS makes changes to add alternative (and better) means of authentication.

[neocotic]

I just took another quick peek at the docs now that I've finished work and noticed that the API does in fact support POST requests. I might take another look at adding support for JSON requests then if it allows users to make POST requests as that would at least keep the credentials from being exposed over secure networks.

[joshp23]

nifty. I am marginally satisfied with sending a timestamp and md5 hash in the url, but yes... the token is still exposed, just not as much.

If you are going to use POST, how do you get around cross origin issues? Perhaps I'm confused, but it seems like jsonp (and therefore GET) is required for making calls from the browser to the remote server?

[neocotic]

You can now use time-limited signature token with the this library. You just have to upgrade to v2, however, the API does contain some breaking changes so you might want to read through the (now detailed) readme first, so that you're familiar with these changes.

As for the POST comment; cross-origin HTTP requests are possible using CORS. I doubt that YOURLS supports this dynamically but I see no reason why you couldn't modify your .htaccess file on your YOURLS server to allow the requests from the domain you're using this library on, or even from all domains, although that's more risky.

By design, JSONP requests always have GET methods but YOURLS supports both GET and POST methods for JSON requests, however, you'd need CORS if you're running this library on another server. JSONP is just sort of a hackier CORS but has its limitations.