Comments (6)
creighton
commented on June 14, 2024
Yes, putting your credentials client-side is a security risk. There's an assumption with this wrapper that you are ok with those credentials being public. This might be ok in cases like very informal tracking, or where client access is in the hands of trusted users.
For other cases you will likely need to apply other techniques.
- you could move the xapi stuff out of the client-side content and send your xapi data via some server
- you could use a launch technique like cmi5 or xapi-launch (note: these don't fully remove security issues, but they do keep the credential from needing to be hardcoded in the client-side code)
Full disclosure, I'm not a security guy. These are things I've seen since working with xAPI. I would be very interested in hearing other techniques for securing client-side content.
from xapiwrapper.
lastmjs
commented on June 14, 2024
Great, that makes sense. I'm working on a unique solution that I'm hoping will open a lot of doors, I'll post back here in the future with what I've got. I think the security issues should be explained in the documentation. The production system that we're switching from uses this library and our credentials are exposed. We didn't know that, and I'm wondering if maybe they didn't know that either. Or perhaps they didn't know it was a problem.
from xapiwrapper.
lastmjs
commented on June 14, 2024
So, here's my solution. I used Scram.js and Express web components to just use the library on my server without modification to the library. It's been working so far!
from xapiwrapper.
creighton
commented on June 14, 2024
Very cool. Thanks for letting me know.
from xapiwrapper.
liveaspankaj
commented on June 14, 2024
Alternatively, we have a way to generate "short lived", "one time" auth
tokens with limited permissions, that we call Secure Tokens. Though, it
might currently only work with GrassBlade LRS
http://www.nextsoftwaresolutions.com/grassblade-lrs-experience-api/
This article explains the feature and what it does:
https://nextsoftwaresolutions.zendesk.com/hc/en-us/articles/207000556-Secure-Tokens-A-critical-Data-Safety-feature
Regards,
Pankaj Agrawal
On Tue, May 10, 2016 at 2:47 PM, tom creighton [email protected]
wrote:
Very cool. Thanks for letting me know.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#66 (comment)
from xapiwrapper.
creighton
commented on June 14, 2024
We just updated the wrapper to support xAPI Launch. It is another way to keep from adding credentials in your client side code https://github.com/adlnet/xapi-launch
from xapiwrapper.
Related Issues (20)
- Legacy branch HOT 2
- Is not getLRSObject a spec violation? HOT 3
- ADL.xapiutil.getActorId HOT 2
- ERR_CONNECTION_REFUSED HOT 6
- Cannot Get statements, but also without error
- No build process for examples? Should I manually install dependencies? HOT 1
- Documentation Link in main Readme is a 404 HOT 3
- There is no cmi.interaction activity type
- Not possible to set contextActivities.grouping via addGroupingActivity()
- Path issue in Gruntfile HOT 1
- addGroupingActivity() calls always initiate an empty array HOT 2
- empty query HOT 4
- Feature request: Make `getQueryVariable` iframe aware or at least allow to pass launch parameters to `launch` explicitly
- Statements no longer sent when browser (Chrome) closed HOT 2
- Stop sending statements when about internet HOT 2
- Auto generate statement.id HOT 3
- Can't send xAPI statements from H5PStandalone
- Why `mocha` in dependencies?
- Handle + sign in URL query string parameters HOT 1
- Avoid blocking JavaScript execution
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xapiwrapper.