What's the best way to implement a Registration REST API for iPhone/Android?

Question

I'm writing a backend application with REST API for iPhone and Android. It's an internal API.

At this point, I'm trying to implement a user registration API such that the user can register from the mobile app.

I'm writing using Django and with Django they comes with Cross Site Request Forgery for the web request. I have to disable it for REST API, using django-piston.

So how can I protect my registration API from spamming? throttle? captcha? what's the best practice to implement a registration API? what's the pitfall?

One suggestion came up was to load a webview on the mobile app and have a mobile web registration form such that CSRF can be implemented. It's a solution but not a neat one as I have to create design page for each mobile device or a generic one that might not be suited across all devices.

Many help are appreciated.

Cheers, Mickey

Answer 1

I agree in that using an OpenID provider is a great way to achieve that. You should look into http://pypi.python.org/pypi/django-social-auth or similar projects. An added benefit is that you do not need to save password credentials in your database. Less data to manage, less data to loose.

If you definitely need a classic username/password based scheme and accompanying registration (maybe alongside OpenID based stuff like SO itself), I'd go with the throttling that piston provides. Personally I use captchas only as a last resort, and doing so via a REST interface is probably quite annoying. Do you request a captcha before the registration phase can continue? How do you note that this user has completed the captcha (session+cookies, ...)? You cannot use reCAPTCHA or similar services without using a webview (which would render the whole REST approach obsolete IMO).

I would revisit using a WebView. If you keep your interface clean and simple it shouldn't jar with any conventions on any smartphone platform.