Menu
I'm designing an API for a mobile app, and I hope to keep it RESTful.
API's are authorized using Basic HTTP Auth, however, When the user open the app for the first time, he need to login first, so I need to design an API to check for user's credentials, which will accept a pair of username and password, return success or fail accordingly.
the problem is what the url should be so it is restful? I don't think /login is a good one.
231
Application credential requirements The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.
1) Configure the API Request URL and Authorization header as 'Basic Auth, then mention FortiAuthenticator admin name and password as 'REST API' key received by mail. 2) Configure the POST data in JSON format.
The way to do authentication or authorization in the RESTful service is by using the HTTP Authorization header as defined in the RFC 2616 HTTP specifications. Every single request should contain the HTTP Authorization header, and the request should be sent over an HTTPs (SSL) connection.
It's typically viewed as poor practice to pass sensitive data via an HTTP GET request.
Password information is sensitive data and is one of the exceptions that breaks the rule that idempotent operations should be GET requests.
Why is this an exception? Browser History and Server Logs will store GET requests. Meaning that this sensitive information is visible as plain text in both places. So if someone gets a hold of either - then that information is now in their hands.
You should use an HTTP POST request to pass this sensitive information to the RESTful API as browsers will not store them and servers will not log them. However, the first line of defense is to use Secure HTTP (HTTPS) to ensure that this information is protected from outsiders.
So pass this information in the body of an HTTP request to an HTTPS URL.
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
