Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
Jonathon

Rest Authentication

Recommended Posts

As a total newbie to REST and with the intention of using it in a webservice. I was a little unsure about how authentication takes place. Reading around, it should be stateless so not involve cookies and sessions and a lot of places take about using a token. But I wanted to be more clear in that exactly. So I had a couple of questions

 

1) Is it a case that when you create a user via the webapp or an iphone app that you should automatically create an auth_token for this person and store it in your DB?

 

2) Would something like a md5(uniqid(rand(),true)); be suitable for a token?

 

3) From there, how should you use the token with requests?

 

4) Is the token then stored in CoreData or a file on the app and pulled from there?

 

 

Share this post


Link to post
Share on other sites

What are your needs here? If this is a read-only (only GET-operations) API, you don't need strict authentication or might not need it at all. Tokens can be used to make sure only those with a valid key can fetch data, you can throttle their calls and build statistics. You could also consider leaving it out completly. If the API is read only, a simple token emailed to users are enough. You can add this token to a GET param or insert into a header in your calls.

 

1. Seems like a good idea. That way you can also retract tokens.

2. Probably. How important is security? The tokens generated should take this into account.

3. You should require users to pass the token upon every request. As you said, there's no state here.

4. Sounds reasonable.

Share this post


Link to post
Share on other sites

Thanks Thomas.

 

It won't be read only totally. A lot of it will be but there will be some user specific calls I want to use and there will be certain user roles that will need to be verified as a) being a certain user type and B) having the correct permissions.

Share this post


Link to post
Share on other sites

Yes, I'd use a token that you generate when the user registers and you store the token in the database. This also allows you to roll API keys for users.

 

I would use http://php.net/manual/en/function.openssl-random-pseudo-bytes.phpto generate the token. At Stripe, this is expected to be passed as the "user" value in every request (-u token in cURL). 

 
As for your app, I'm not positive what's the best, most secure storage route. 

Share this post


Link to post
Share on other sites

If you use a bytes length of 16 for the function, then run it through bin2hex(), you'll get a string 32 characters long, which is good. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...