Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to design a RESTful API to check for user's credentials?

Tags:

rest

I'm designing an API for a mobile app, and I hope to keep it RESTful.
API's are authorized using Basic HTTP Auth, however, When the user open the app for the first time, he need to login first, so I need to design an API to check for user's credentials, which will accept a pair of username and password, return success or fail accordingly.
the problem is what the url should be so it is restful? I don't think /login is a good one.

like image 231
wong2 Avatar asked Apr 13 '12 16:04

wong2

People also ask

How do I pass my credentials to REST API?

Application credential requirements The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.

How does REST API validate username and password?

1) Configure the API Request URL and Authorization header as 'Basic Auth, then mention FortiAuthenticator admin name and password as 'REST API' key received by mail. 2) Configure the POST data in JSON format.

How is rest authentication checked?

The way to do authentication or authorization in the RESTful service is by using the HTTP Authorization header as defined in the RFC 2616 HTTP specifications. Every single request should contain the HTTP Authorization header, and the request should be sent over an HTTPs (SSL) connection.

1 Answers

It's typically viewed as poor practice to pass sensitive data via an HTTP GET request.

Password information is sensitive data and is one of the exceptions that breaks the rule that idempotent operations should be GET requests.

Why is this an exception? Browser History and Server Logs will store GET requests. Meaning that this sensitive information is visible as plain text in both places. So if someone gets a hold of either - then that information is now in their hands.

You should use an HTTP POST request to pass this sensitive information to the RESTful API as browsers will not store them and servers will not log them. However, the first line of defense is to use Secure HTTP (HTTPS) to ensure that this information is protected from outsiders.

So pass this information in the body of an HTTP request to an HTTPS URL.

like image 137
Derek W Avatar answered Sep 19 '22 19:09

Derek W
Sign in to Comment

Related questions

HTTP 500 Internal Server Error in simple REST based program. Confused in GET and POST while receiving/sending response from server
REST services - exposing non-data "actions"
Is there a c# wrapper available for the Salesforce REST Api?
com.sun.jersey.api.container.ContainerException: The ResourceConfig instance does not contain any root resource classes
Are there any reasons why I should/shouldn't use ObjectId's in my RESTful url's
How to integrate Swagger with Maven + Java + Jersey +Tomcat
How to use custom token model in Django Rest Framework
How to document top-level array as response payload with Spring REST Docs
Sharepoint 2013 via REST API: Error 403 Forbidden when trying to create item
Tomcat, JAX-RS, Jersey, @PathParam: how to pass dots and slashes?
Return Custom 404 Error when resource not found in Django Rest Framework
How to interface against other networked applications using Erlang?
Can anybody explain OAuth?
How to Deploy Angular 4+ (front-end) to CDN?
Understanding REST: is GET fundamentally incompatible with any "number of views" counter?
Very peculiar :HTTP Status 405 - Method Not Allowed
Using Jackson ObjectMapper with Jersey
How to pass custom enum in @Query via Retrofit?
How to generate Signature in AWS from Java
Converting JSONObject to Java Object

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!