we are about to code a client side mvc app in javascript (angularjs). on the server side we ha ve node.js running to serve the templates etc.. i am new the "front end" side of the story - i am "typical" java backend guy - so apologies in advance ;-)
i want to authenticate and talk against our own internal rest api which is based on oauth. i can get the handshake to work and the basic setup seems to be working.
my question is: where do i put all the oauth handshaking and "wrapping" code?
so far i've found these solutions:
let's assume both, client and server side are implemented in javascript and the "real server" is a jetty serving the rest api secured with oauth.
client (js) -> server (node.js) -> server (jetty+oauth)
version 1. has the benefit of securing all the details of the api and oauth handling (so nobody looking at the source code of the html/js could see this)
version 2. has the advantage of skipping the intermediary layer, but everybody could see the oauth key/secret ....
i hope you get what i mean. is there any guideline/tutorial detailing "best practices" for dealing with a secured api that is needed by a client side mvc application running inside the browser of the user?
any help highly appreciated.
cheers marcel