Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring boot REST api security for Android App using Google + Facebook login

Tags:

android

spring-boot

spring-security

android-facebook

android-security

I'm building an application with 2 layers: -

1. Native Android App - contains ability to sign in via Facebook + Google to make sign on less painful.

2. Java Server using Spring Boot - typical MVC endpoints such as REST api + UI admin screens.

The Facebook (FacebookSdk) and Google (GoogleApiClient) signin parts are working and tested using following Android dependancies: -

dependencies {
   compile 'com.facebook.android:facebook-android-sdk:4.6.0'
   compile 'com.google.android.gms:play-services-auth:9.0.0'
   ....

}

API wise we have: -

/api/signin - called when a user signs in successfully with either Facebook + Google and creates an entry in a users database table.

There is also a number of other API end-points e.g. offers

/api/offers/<user_id> - returns offers to an already registered user.

I'm unsure of the best practice way in which: -

  1. How android app does API calls to /api/signin REST endpoints (i.e. which headers etc are OK to send to what I'd assume is an endpoint without security because unregistered users will be hitting this). Also, what fields are OK to save in users db table?

  2. How android app does API calls to e.g. /api/offers/ to already registered users? i.e. when tokens etc should the Android app pass down?

  3. The best practice way for spring security to secure these endpoints.

Assuming OAuth 2 is the way to go but any advice / pointers will be most appreciated.

like image 337
bobmarksie Avatar asked Jan 24 '17 13:01

bobmarksie

1 Answers

Ans:1 /api/signin at the time of signin app will send user info to server and server will generate token and this token will come back in signin the app can be save this token it can be change time to time. you can use any http library for web service like volley,Retrofit etc.

fields you need to store in db: userId, userName, userToken.

Ans:2 /api/offers/ you can check the user's userId in db if it exists there then you will throw msg already present in web service response.

Ans:3 use SSL implementation for your web service that would be much secure, and as you have mention you are going to use token for every user to it will be accessible only for authenticate user.

Note:- The token should change every 30 min or whatever time you want that will make your authentication functionality more secure.

like image 135
Arati Avatar answered Sep 18 '22 19:09

Arati
Sign in to Comment

Related questions

Get URL of video running in Youtube android app
Extending GridLayout
Add 3D object to map and pan around it
JavaScript: Tracking Selection Change on Firefox for Android
android : TextInputLayout hides drawableRight of child EditText
SecurityException: Binder invocation to an incorrect interface on signed APK
How can I close BluetoothSocket's on screen rotation in Android?
Android, callback when map clustering is completed
Android Webview: E/chromium: [ERROR: ssl_client_socket_impl. cc (1141)]
Button of a Fragment inside ViewPager trigger onClickListener on wrong reference
Writing custom lint warning to check for custom annotation
Why I get this error when on google map "Failed to load DynamiteLoader: java.lang.ClassNotFoundException: Didn't find class?
Resize JPEG image in filesystem
Android Vision Barcode API - read custom QR code with binary data
Is there any way to Detect userInterations in Android fragments?
Copy canvas content to another canvas similar to amaziograph app of iphone
How to pass hyperlink to Gmail in Intent ACTION_SEND?
Getting touch coordinates not accurate in ImageView FloodFill Algorithm
Could not find class 'android.graphics.drawable.RippleDrawable
How to Post JSON array using Retrofit 2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!