javascript - Can authentication via JS be faked? (Using 3rd party Authentication) -

i looking override authentication django backend twitter fabric's digits. digits allows sign in without password, cellphone mobile authentication.

the trick is, provide embed widget frontend (js). widget allows send requests , returns whether user authenticated or not.

currently have 2 ideas integrating django.

1. embed script, wait response, , send response backend. let backend parse script.
2. figure out endpoints , ping them backend, rewrite fabric's digits js functions in python.

i'd idea 1 unsure whether secure enough. can response of request spoofed? there vulnerabilities option 1?

option #1 isn't enough, need send response server, , don't need #2.

if went first option , didn't server-side validation of response, mock response would've forwarded backend. remember (ignoring firewalls) user can send want server backend bypassing client-side validation.

what need verify response server receives frontend, valid, using digits api backend. see documentation:

from web server, on ssl, can use response securely request userid, phone number, , oauth tokens of digits user. approach, there no need configure oauth signing, or configure , host callback url digits.

as additional security measures, want on webhost:

• validate oauth_consumer_key header value matches oauth consumer key, ensure user logging site
• verify x-auth-service-provider header, parsing uri , asserting domain api.twitter.com or www.digits.com, ensure call twitter.
• validate response verify_credentials call ensure user logged in