RESTful, user authentication, and Django-tastypie

Question

Apologies for the beginner question.

I'm a little bit confused about the general approach to using RESTful services in conjunction with distinct users. In particular, I'm primarily concerned with developing an API that only I will use through the various applications that I write, namely, a web application, and potentially some mobile apps that will all access the same data.

(1) Is a rest API produced by something like django-tastypie appropriate (or even best practice) for non-public use -- i.e., when I only want to grant access to this data through my applications?

(2) In creating login-access to the Restful API, am I creating a login for all of the users of my web-app -- or am I creating a login for myself and my web application? Should user accounts to my webapp be considered distinct from accounts for accessing the Restful API?

Basically, I'm wanting to create an application using Django and django-tastypie that will allow users to login, create & view objects, subscribe to users and view their objects. I want to use the Tastypie API for my own javascript purposes, to ease with the creation of serializing and updating the relevant data in my views. Where do these user accounts fit within this picture? Thanks!

Answer 1

If I understand correctly, you are dealing with two separate auth concerns here: (A) Access to the API - Your web/mobile app only (B) Access to user data via the API - For users via your web/mobile app

For (A), you could just authenticate on a secret key. So your web or mobile front end would send that key with every API request, which would guarantee that you are receiving requests only from clients that you authorize.

If you want to use different keys for different apps, you can create a simple django model to keep track of them, and add new keys or revoke them as necessary.

If you use SSL for everything, you should be safe from sniffing attacks to discover your key. I think the weakest point here would be that someone could possible reverse engineer your mobile app to find the key, since you would have to store the key in the app.

For (B), use the django auth system. The tastypie Basic or ApiKey Authenticators should allow you to log users in and via the API, and based on their permissions, access or create data. I think that's what you were asking in the second question?

I don't think you can use the same auth models for both (A) and (B) if you are using sessions, because you can't have two active sessions at the same time.