HMAC Signatures and SPA
Just wanted to get some insight on how people are dealing with getting HMAC signatures and HPM on single page apps. We have no problems rendering the HPM, but in order to create an account we need an HMAC signature. Normally this isn't a problem, but SPAs execute on the client, meaning that the credential to request the HMAC signature has to either,
1. be placed in the source code for the page (plaintext), OR
2. be retrieved via an API call
Option 1 is not attractive because the idea of placing a credential in plaintext screams "security hole". Option 2, according to the Zuora integration consultant I worked with putting up our app 2 years ago, indicated that using an API call would work. It actually did for sometime but lately it appears that this option is no longer available.
SOOOOO, is everybody else who is using the HPM with SPAs leaving their creds in the breeze, or is there another [secure] way to get HMAC signatures to create accounts using HPM that I'm not thinking of?
Re: HMAC Signatures and SPA
There is an option 3, to this which would be to place a small API service on the web server(s) to accomodate the domain name restrictions on retrieving the HMAC signature. It's ugly, but it may work.