Jump to content
Larry Ullman's Book Forums

Rest Authentication


Jonathon
 Share

Recommended Posts

As a total newbie to REST and with the intention of using it in a webservice. I was a little unsure about how authentication takes place. Reading around, it should be stateless so not involve cookies and sessions and a lot of places take about using a token. But I wanted to be more clear in that exactly. So I had a couple of questions

 

1) Is it a case that when you create a user via the webapp or an iphone app that you should automatically create an auth_token for this person and store it in your DB?

 

2) Would something like a md5(uniqid(rand(),true)); be suitable for a token?

 

3) From there, how should you use the token with requests?

 

4) Is the token then stored in CoreData or a file on the app and pulled from there?

 

 

Link to comment
Share on other sites

What are your needs here? If this is a read-only (only GET-operations) API, you don't need strict authentication or might not need it at all. Tokens can be used to make sure only those with a valid key can fetch data, you can throttle their calls and build statistics. You could also consider leaving it out completly. If the API is read only, a simple token emailed to users are enough. You can add this token to a GET param or insert into a header in your calls.

 

1. Seems like a good idea. That way you can also retract tokens.

2. Probably. How important is security? The tokens generated should take this into account.

3. You should require users to pass the token upon every request. As you said, there's no state here.

4. Sounds reasonable.

Link to comment
Share on other sites

Thanks Thomas.

 

It won't be read only totally. A lot of it will be but there will be some user specific calls I want to use and there will be certain user roles that will need to be verified as a) being a certain user type and B) having the correct permissions.

Link to comment
Share on other sites

Yes, I'd use a token that you generate when the user registers and you store the token in the database. This also allows you to roll API keys for users.

 

I would use http://php.net/manual/en/function.openssl-random-pseudo-bytes.phpto generate the token. At Stripe, this is expected to be passed as the "user" value in every request (-u token in cURL). 

 
As for your app, I'm not positive what's the best, most secure storage route. 
Link to comment
Share on other sites

 Share

×
×
  • Create New...