Authentication for api?

B

Bogdan2018-02-20 17:31:56

Ruby on Rails

Bogdan, 2018-02-20 17:31:56

Hello. I plan to use Rails purely as an API for SPA on Vue. And how to properly organize user authentication?
1) We send a POST request from the client with a login and password, compare all bcrypt
2) if everything is OK, then we generate a token using SecureRandom.urlsafe_base64 and send it in the response
3) we save this token in cookies for one hour

cookies[:remember_token] = { value: remember_token,
expires: 1.hour.from_now.utc }

4) Well, then access to the api will go through the passed token, and if it is successful, then the cookie session will be extended by one hour.
Well, the scheme is still purely theoretical.
Is there a better algorithm? Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Riley Usagi, 2018-02-20
@RileyUsagi

Just today there was already a question on this topic. Literally on the first page.
Read about JWTs .

X

xmoonlight, 2018-02-20
@xmoonlight

The first mistake is to send LOGIN and PASSWORD with a POST request.
We send always hashed data with the server key!
Minimum information - read here .