cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pushyami
Community Member

How to access External service behind Oauth using Custom JavaScript on Canvas?

HI, I am trying to figure out something that I need some consultation on.

On Canvas Files tool page, I would like to add a new column/piece of information relating to how many people accessed a particular file using custom Javascript that canvas allows to customize certain stuff using Themes tool. Let's image I have external service( getting data either from Canvas Live events or Canvas Data) that provides me with that piece of information. All I need to do is make a call to the service like  GET: access_count/file_1.pdf` return count. Obviously, I need to put this service behind some sort of OAuth( simplest basic OAuth
)to protect unauthorized access. Since I call this service from javascript I can't store Oauth token in the Js file. Is there an alternative way that I can I accomplish my goal?

2 Replies
robotcars
Community Champion

If you aren't providing any personally identifiable information, and privacy of the data isn't a concern... because file counts are pretty benign...

On something like AWS, you could setup the security group to allow access only from 1 source

x.instructure.com and then a CORS setup in your service to match.

REST Security Cheat Sheet - OWASP 

Management endpoints

  • Restrict access to these endpoints by firewall rules  or use of access control lists.

Cross-Origin Resource Sharing (CORS) is a W3C standard to flexibly specify what cross-domain requests are permitted. By delivering appropriate CORS Headers your REST API signals to the browser which domains, AKA origins, are allowed to make JavaScript calls to the REST service.

Thank you this is helpful just putting it out there and knowing what is and not possible. 

0 Kudos