Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

RESTful Verify Password service

I'm writing a Verify Password service using the ASP.NET Web Api.

The service accepts a password for the currently signed in user, verifies it, and returns an encoded value. This all happens over SSL.

Calling this method causes no changes to state.

Initially this looks like it should be a GET request however on further inspection I'm concerned about the web server logging plain text passwords.

We could implement this as a POST but that seems like the wrong verb given the action.

Is this simply a case of pragmatism over procedure or is there more we can do to fulfil both the pragmatic and RESTful cases?

like image 911
Jamie Dixon Avatar asked Nov 13 '22 11:11

Jamie Dixon


1 Answers

You should use Basic Authentication where you pass the username/password as headers. This also fits better as the standard already defined.

There is already a javascript code for doing base64 encoding - if you need to do this on the browser.


If you are doing this to authenticate and the encoded value is the access token (cookie), it is better to use OAuth 2.0.

like image 85
Aliostad Avatar answered Nov 15 '22 11:11

Aliostad