How can I securely connect to RESTHeart with a Token

Question

I have use RESTHeart and HTTPie to connection to my MongoDB with the next line:

http PUT 127.0.0.1:8080/myfirstdb desc='this is my first db created with restheart' -a username:password

but I think that it is not secure to use my RESTHeart username and password directly inside of the command, at all. How can I make this request securely without typing my REST username and password in command?

Answer 1

If you omit the password in the command, httpie will prompt of it.

http PUT 127.0.0.1:8080/myfirstdb desc='this is my first db created with restheart' -a username

If successfully authenticated, RESTHeart returns you an auth-token that you can you use as a temporary password for further calls (it has a time to live that can be set in the configuration file).

Here an example of response headers:

 Auth-Token: 6a81d622-5e24-4d9e-adc0-e3f7f2d93ac7
 Auth-Token-Location: /_authtokens/user@si.com
 Auth-Token-Valid-Until: 2015-04-16T13:28:10.749Z 

so you can do (note the auth-token used as the basic authentication password):

http GET 127.0.0.1:8080/myfirstdb restheart' -a username:6a81d622-5e24-4d9e-adc0-e3f7f2d93ac7

Also note that you should use https in production environments.

For more information have a look at the security section of the RESTHeart documentation https://softinstigate.atlassian.net/wiki/x/W4CM

Answer 2

Again, quoting the RestHeart documentation:

RESTHeart uses basic authentication; usernames and passwords are sent over the net on each request. Using the http listener is not secure: users credentials can be sniffed by a man-in-the-middle attack.

http://restheart.org/docs/configuration.html

Basic Authentication (username:password) seems to be only supported mode of authentication. RestHeart recommends setting up a https listener, so your passwords can not be sniffed in plain text.