What is the best way to organize authentication for REST API?

W

webhunter2015-02-27 22:21:37

User identification

webhunter, 2015-02-27 22:21:37

1) As I understand it, http basic is bad if ssl is not used, because the password will go over the network in clear text.
2) It is also suggested to sometimes send a hash from (password + resource address + current time + time delta) with each request. in this case, I have three questions:
- why transmit these timestamps, what does the server do with them?
- it turns out that passwords on the server must be stored in clear text, because the hash needs to be restored. Is it correct?
- is this approach safe without ssl?
3) if ssl is used, which authentication option is the most correct?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexey, 2015-02-28
@TsSaltan

Sending the password in clear text without ssl is bad.
If there is no ssl, you need to sign requests, send a hash (password + resource address + transferred data + unique request id)
The unique id can be a timestamp, id can be written or checked against the current timestamp on the server. If the request id is repeated or the difference between the timestamp and the current time is large enough, the request is not processed. The meaning of such protection is that if a request is intercepted by an attacker, he will not be able to execute this request again, even if the signature (hash) is correct.
https://ru.wikipedia.org/wiki/Nonce
Well, it is desirable to use sha2 hashing algorithms
And it is better to store and use not a password, but generate a random key with a length > 32 and with special characters.

N

Nazar Mokrinsky, 2015-02-28
@nazarpc

Looking for what purpose, it is not clear from the question.
In general, you can use OAuth2 and tokens (all popular social networks and other services use OAuth2 or, in some unique cases, OAuth1).
Anything that involves storing passwords in plain text is wrong in advance.