How to hide token when requesting VK API?

A

alex5e2014-04-02 10:16:08

PHP

alex5e, 2014-04-02 10:16:08

When requesting $.getJSON to the VK API to post a message to a group wall, Firebug displays a piece of code that shows both the token and the group number and the message being sent.

That is, everyone who receives my token will be able to perform a similar request (add a message to the group or, on the contrary, delete it, since the rights allow it). How can you protect yourself from this?

Reducing the lifetime of the token is not suitable, because. it must remain eternal.

<script type="text/javascript">
            $.getJSON('https://api.vk.com/method/wall.post?owner_id=-69173875&from_group=1&message=<?php echo(urldecode($message)); ?>&access_token=TOKEN&v=5.16&callback=?', function(resp){
      })
      .done(function( resp ) {
        if (resp.response!=undefined)
       console.log( "JSON Data: " + resp.response.post_id );
      else
        console.log("error");
      });
      
      </script>

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Alexander Zelenin, 2014-04-02
@alex5e

use Ajax to send a request to your own php script, which will already make a request to the api with a curl and return, if necessary, a response.

P

Petrusha Ukropov, 2014-04-02
@artishok

The token is tied to your site

A

Alexander Khirenko, 2014-04-02
@Satanpit

To avoid such situations, you need to perform such requests on the server side.
You can't hide a token with JS. Anyone who opens the console will see it.

W

WTFRU7, 2014-05-16
@WTFRU7

The VK token is tied to IP - so even if it is stolen, they will not be able to use it