Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Password protecting a REST service?

Tags:

rest

authentication

After creating a basic REST service, I've have come to the point where it would be appropriate to add some sort of password protection, as I need to verify that my users are both properly logged and have sufficient permissions to execute whatever action they are going to.

The REST service will mainly be accessed from a Javascript-heavy frontend and with that in mind, I have come up with the two following alternatives to solve this:

  1. Make users login by first sending credentials to a /login page with POST. The page sets a session cookie wherein the user is marked as logged in, along with the permission level. On each following request, I verify that the user is logged in and his/her permission level. When the session expires, automatically or manually (logout, the user will have to re-logon).

  2. Temporarily save the credentials hashed locally and send the users credentials along every single request made by the user to verify the credentials & permissions backend on a per-request basis.

Are there more ways to solve this and is there something else that I should be concerned with?

like image 596
Industrial Avatar asked Dec 19 '11 13:12

Industrial

Video Answer

1 Answers

I'm currently developing a REST API along with a client (written in javascript), below I'll try to explain the methods used to protect the API against unauthorized access.

  • Make your REST API to require a Auth-Key header upon every request to the API, besides /api/authenticate.

  • /api/authenticate will take a username and a password (sent using POST), and return user information along side with the Auth-Key.

  • This Auth-Key is randomly generated after a call to /api/authenticate and stored in the backend users table with the specific user entry, a md5 hash of the remote ip + the user agent provided by the client.

  • On every request the value of Auth-Key, and the md5 sum mentioned, is searched for in users . If a valid user is found that has been active during the past N minutes the user will be granted access, if not: http return code 401.

  • In the REST client, first get the Auth-Key by posting to /api/authenticate, then store this value in a variable and send in on every future request.

like image 77
Filip Roséen - refp Avatar answered Dec 21 '22 02:12

Filip Roséen - refp
Sign in to Comment

Related questions

Securing communication from android to a web service
Whats the best way to extend Anonymous User in Django?
Saml Authentication Request Protocol Id
Does Oauth 2.0 need consumer key/consumer secret
Session timeout does not work at asp.net mvc 4 C# . Why?
How to make Basic Auth exclude a rewritten URL
How to get access token in Web Api OAuth?
Windows authentication for Intranet/Internet
Lock out users after too many failed login attempts
change password in MVC 4
nginx auth_request: access original query parameter
How to pass authorization token in header in Rest assured?
User authentication with CodeIgniter
Mutual Authentication with x509 Certificates using HttpClient 4.0.1
the game is not recognized by game center
Zend Framework 2 - Global check for authentication with ZFCUser
Integrated Windows Authentication showing wrong loggedin user
python: API token generation with itsdangerous
pip install failing with 407 Proxy Authentication Required
React: setting up firebase auth with firebase-ui

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!