Reputation: 385
REST API authentication - Will this be sufficient?
I have been trying to wrap my brain around authentication on a REST API.
I've tried to think of a way to successfully authenticate users, keeping in mind that users can access all data on the client, and I've come up with this idea.
Client sends username and password to the server
Server checks if they match a user.
If it does, we create a hashed string with user_id+e-mail+currentTime+salt
and stores this in a database-table with an expiration date.
Server returns hashed string to client
Client sends random request to server including key
Server checks if key is correct and if it's expired
Is this a proper way to do it, and do you see any security flaws?
Upvotes: 4
Views: 131
Answers (1)
Reputation: 41898
You're effectively storing session state on the server, which is something you shouldn't be doing on a RESTful API.
Authentication on a RESTful API should simply follow whatever is the standardized authentication method for the underlying protocol. Instead of reinventing HTTP authentication, you should simply require clients to authenticate through HTTP Basic Auth on every request, using the Authorization header. Obviously, all your client-server interactions should be done over SSL.
If you really need some authentication token with an expire date, you can have a resource that provides it once the client is authenticated with basic (like a signed timestamp) but clients should still send that in the Authorization header, with a custom realm, and no state should be stored on the server.
Upvotes: 2
Related Questions
- REST API Authentication
- Securing a RESTful API
- REST API: Simple token-based authentication - security?
- REST authentication / authorization
- Is this login logic via RESTful call sound?
- REST API security review
- RESTful API security
- API Authentication Method - am I doing it correctly?
- REST API without Login for Users is more simple, but is it right
- Is this Security/Authentication ok for my REST API?