PHP - RESTful API for mobiles with authentication

Question

I found many questions/answers here and many articles in other websites but I have still a few questions which I need to answer before I can start and I just can't find answers for them. I want to create restful api for mobile apps (and for some frontend).

I choose Basic Authentication via HTTPS because I guess it's enough for now and it looks easy to implement. So I should have username and hashed password saved in dabatase right? Then when user write username and password in app I hashed password and both encrypt by Base64 and add to HTTP header right? How can I decrypt this and check with database on server-side? How it would change with salt?

And after I check username and password with previous call then how can I save this session? Should I create some session-id/token (random string) and save it to column in users table and send it back to mobile app and then using it for other calls (with some timestamp for expiration)? Could it be via HTTP (no secure)? Like web.com/api?token=ASsF234Silkj&data=... Or I must always use HTTPS after authentication?

How will it change when I use some API key (private) in all apps which would use this API? I know I can hide key and don't send it via requests (use it just for encryption) but what if someone try to read .apk and get API key?

Answer 1

So I should have username and hashed password saved in database right?

Yes, you should hash it, don't use MD5 or SHA1, they are now no more secured. Use SHA2 or SHA3.

Then when user write username and password in app I hashed password and both encrypt by Base64 and add to HTTP header right?

Base64 is not hash function, you can get original content from base64, it's just a encoding way.. Yes you have to put credentials to HTTP header. While sending user name and password (hash or plain), use HTTPS connection. Sending hash in HTTP connection is vulnerable to replay attack.

How can I decrypt this and check with database on server-side? How it would change with salt?

If you send Hash , you cannot decrypt it (that the sole purpose of Hash). I would recommend you following: 1) send user name and password to server via https 2) create hash at server and check with the existing hash in database.

And after I check username and password with previous call then how can I save this session?

depends on which langauge you are using

Should I create some session-id/token (random string) and save it to column in users table and send it back to mobile app and then using it for other calls (with some timestamp for expiration)? Could it be via HTTP (no secure)?

you can do that but use HTTPS, and do not use time stamp, it is very unsecure. Rather generate long random string

How will it change when I use some API key (private) in all apps which would use this API?

???

I know I can hide key and don't send it via requests (use it just for encryption) but what if someone try to read .apk and get API key?

Do not put key in APK, generate it locally if it is private key (if i got what you mean)

Answer 2

First off, base64 is not encryption

While it is possible to integrate basic http authentication with sessions it is not a trivial task. And it's very easy to end up with something which is insecure (especially judging from the level of skill evidenced in your question).

You seem to have planned out most of what you want to acheive - but you've got most of it wrong already.

Whether you should continue to use HTTPS after authentication depends if your service has any intrinsic value.

Similarly how you implement surrogate authentication tokens (including API keys) depeds on the security model. Stick to using HTTPS everywhere and you should not have to worry about changing / encrypting the API key.