I have developed a jQuery Plugin that displays some data it gets from a secured RESTful API. The API is secured by basic authentication and a token. To not leak the basic authentication credentials nor the logic to create the token, I moved them to a proxy.php that basically looks like that:
$url = "http://the-api.com/path";
$context = stream_context_create(
'http' => array(
"Authorization:Basic " . base64_encode("$username:$password") . "\r\n" .
$response = file_get_contents($url, false, $context);
header("Access-Control-Allow-Methods: GET, OPTIONS");
header('Access-Control-Allow-Headers: X-Requested-With, Origin, Content-Type, Authorization');
However, other people can just execute the same request by calling the proxy.php.
How can I verify that only the jQuery Plugin can call the proxy.php successfully? Could it be done by a combination of cookie and token? The proxy.php is on the same host/domain as the jQuery Plugin.