I'm writing a backend application with REST API for iPhone and Android. It's an internal API.
At this point, I'm trying to implement a user registration API such that the user can register from the mobile app.
I'm writing using Django and with Django they comes with Cross Site Request Forgery for the web request. I have to disable it for REST API, using django-piston.
So how can I protect my registration API from spamming? throttle? captcha? what's the best practice to implement a registration API? what's the pitfall?
One suggestion came up was to load a webview on the mobile app and have a mobile web registration form such that CSRF can be implemented. It's a solution but not a neat one as I have to create design page for each mobile device or a generic one that might not be suited across all devices.
Many help are appreciated.
Cheers, Mickey
A RESTful API is an architectural style for an application program interface (API) that uses HTTP requests to access and use data. That data can be used to GET, PUT, POST and DELETE data types, which refers to the reading, updating, creating and deleting of operations concerning resources.
For mobile apps, the RESTful APIs use the HTTPS protocol, which is more secure for using a Secure Socket Layer (SSL). Since mobile apps undergo a lot of updates they should have a robust process for version control to manage the changes better.
I agree in that using an OpenID provider is a great way to achieve that. You should look into http://pypi.python.org/pypi/django-social-auth or similar projects. An added benefit is that you do not need to save password credentials in your database. Less data to manage, less data to loose.
If you definitely need a classic username/password based scheme and accompanying registration (maybe alongside OpenID based stuff like SO itself), I'd go with the throttling that piston provides. Personally I use captchas only as a last resort, and doing so via a REST interface is probably quite annoying. Do you request a captcha before the registration phase can continue? How do you note that this user has completed the captcha (session+cookies, ...)? You cannot use reCAPTCHA or similar services without using a webview (which would render the whole REST approach obsolete IMO).
I would revisit using a WebView. If you keep your interface clean and simple it shouldn't jar with any conventions on any smartphone platform.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With