C
C
Cyril2017-02-25 22:46:51
Node.js
Cyril, 2017-02-25 22:46:51

Does it make sense to sign REST API requests?

Does it make sense to sign each request to the REST API of the server on the client side with a special access token ( access_token )?
This access token is sent to the client as soon as it successfully logs in to the server.
Maybe just cookies? When I log in through the browser, I have user session cookies saved. Maybe just check for each client request for the presence of a user session cookie?
UPD:
The scheme is something like this:
1. The client logs in to the server:
Server <———(/login)——— Client
2. The server opens a user session and gives the client a cookie:
Server ———(cookie)———> Client
3 The client makes a request to the server's REST API, putting the cookie ID in the request header
Server <———(REST API + headers with cookie ID)——— Client
4. Server looks at the cookie from the client:
Server ~~~~~~~(Where is the cookie??)~~~~~~> Client
5. The client shows the cookie in response:
Server <~~~~~~~(Here it is: ...)~~~~~~ Client
6. The server checks the client's cookie against the cookie ID passed in the REST API request. And then it checks the cookie ID against the user session ID. If both checks pass, then the next step is .
7. The server executes the REST API request and returns the result:
Server ~~~~~~~(Get data ^_^ )~~~~~~> Client
Thanks in advance.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
vintage, 2017-02-25
@belyaevcyrill

A cookie is also an access_token, only substituted by the browser automatically, even if the request is initiated not by your page, but by the page of the left site. Accordingly, when forwarding a token through cookies, a third-party site will be able to make requests to yours on behalf of the user. Whether this should be allowed is up to you. If necessary, just use cookies. If not necessary, then the simplest thing is to send the token taken from the cookie in the header with the request, and check their identity on the server. You can get cookies with a script only from the same site who set them. It is better not to send the token in the url so that it does not appear in the logs.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question