I'm building an application with 2 layers: -
1. Native Android App - contains ability to sign in via Facebook + Google to make sign on less painful.
2. Java Server using Spring Boot - typical MVC endpoints such as REST api + UI admin screens.
The Facebook (FacebookSdk
) and Google (GoogleApiClient
) signin parts are working and tested using following Android dependancies: -
dependencies {
compile 'com.facebook.android:facebook-android-sdk:4.6.0'
compile 'com.google.android.gms:play-services-auth:9.0.0'
....
}
API wise we have: -
/api/signin
- called when a user signs in successfully with either Facebook + Google and creates an entry in ausers
database table.
There is also a number of other API end-points e.g. offers
/api/offers/<user_id>
- returns offers to an already registered user.
I'm unsure of the best practice way in which: -
How android app does API calls to /api/signin REST endpoints (i.e. which headers etc are OK to send to what I'd assume is an endpoint without security because unregistered users will be hitting this). Also, what fields are OK to save in users
db table?
How android app does API calls to e.g. /api/offers/ to already registered users? i.e. when tokens etc should the Android app pass down?
The best practice way for spring security to secure these endpoints.
Assuming OAuth 2 is the way to go but any advice / pointers will be most appreciated.
Ans:1 /api/signin at the time of signin app will send user info to server and server will generate token and this token will come back in signin the app can be save this token it can be change time to time. you can use any http library for web service like volley,Retrofit etc.
fields you need to store in db: userId, userName, userToken.
Ans:2 /api/offers/ you can check the user's userId in db if it exists there then you will throw msg already present in web service response.
Ans:3 use SSL implementation for your web service that would be much secure, and as you have mention you are going to use token for every user to it will be accessible only for authenticate user.
Note:- The token should change every 30 min or whatever time you want that will make your authentication functionality more secure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With