Reputation: 3010
What's the best way to implement a Registration REST API for iPhone/Android?
I'm writing a backend application with REST API for iPhone and Android. It's an internal API.
At this point, I'm trying to implement a user registration API such that the user can register from the mobile app.
I'm writing using Django and with Django they comes with Cross Site Request Forgery for the web request. I have to disable it for REST API, using django-piston.
So how can I protect my registration API from spamming? throttle? captcha? what's the best practice to implement a registration API? what's the pitfall?
One suggestion came up was to load a webview on the mobile app and have a mobile web registration form such that CSRF can be implemented. It's a solution but not a neat one as I have to create design page for each mobile device or a generic one that might not be suited across all devices.
Many help are appreciated.
Cheers, Mickey
Upvotes: 7
Views: 5638
Answers (2)
Reputation: 33670
There's no reason to worry about CSRF for your REST API, check this section in the docs that explains why.
Best way to prevent spam is to collect user data from a verified source, such as an OpenID provider, Facebook, etc. If you want to do this manually, then the simplest way to do it is to take django-registration and extend one of the backends. You can take the provided simple backend and use a custom form with a captcha field. This should be enough to weed-out automated registrations. Should be simple enough to get it hooked up with piston.
EDIT:
You're right, I just re-read the question and noticed I completely disregarded the fact that you already mentioned you're developing your REST API against remote Android/iPhone users. So your API is publicly exposed and accepts requests that aren't originating from your domain or from a browser client for that matter.
I wouldn't reinvent the wheel in your case then, you should implement Open API Authentication, since it applies perfectly to your requirements: knowing that you're exchanging information with an actual user, without worrying where the request originated from.
Upvotes: 0
Reputation: 2193
I agree in that using an OpenID provider is a great way to achieve that. You should look into http://pypi.python.org/pypi/django-social-auth or similar projects. An added benefit is that you do not need to save password credentials in your database. Less data to manage, less data to loose.
If you definitely need a classic username/password based scheme and accompanying registration (maybe alongside OpenID based stuff like SO itself), I'd go with the throttling that piston provides. Personally I use captchas only as a last resort, and doing so via a REST interface is probably quite annoying. Do you request a captcha before the registration phase can continue? How do you note that this user has completed the captcha (session+cookies, ...)? You cannot use reCAPTCHA or similar services without using a webview (which would render the whole REST approach obsolete IMO).
I would revisit using a WebView. If you keep your interface clean and simple it shouldn't jar with any conventions on any smartphone platform.
Upvotes: 1
Related Questions
- Register & login to django backend from iphone app and mobile browser
- Account registration on mobile application
- New user Registration & Authentication on Android app with django Backend
- Authenticating an Android or iPhone app to a Django backend
- Which authentication to be used when using Django Rest Framework and IOS app?
- Secured RESTful API that can be used by Web App (angular), iOS and Android
- Rest service for mobile apps and interactive website
- How to secure a REST API for mobile applications?
- What/Where to modify django-registration to use with mobile broswers
- What is good way to register users from phone app