Databases
StackOverflow2013
Postsdbo
POSecured RESTful API that can be used by Web App (angular), iOS and Android
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSecured RESTful API that can be used by Web App (angular), iOS and Android
    text
    copied!<p>I have to lay out a plan to develop a RESTful API (Python/Flask) that could be used by our future web app (Angularjs) and mobile apps (iOS/Android).</p> <p>I have been researching for three days and have come across several scenarios: Using HTTPS is one way on top of the methods below to keep it safer. But https is slower, which could mean we need faster and more expensive servers. </p> <ol> <li>Using Basic-Http-Auth and sending username/password in plain (yet https) over the wire for every request to the API. </li> <li>Using Digest-Auth, which is a hash of the password and the tracking would be automatic This would work for the web app, however I wasn't able to confirm if iPhones and Android would support this natively. If they do, that could be an easy solution!</li> <li>Using a custom http header, where I would send a custom Auth string in http header upon a successful authentication. But then I have to make sure I am sending this auth code for every request that the user makes. This makes it exactly like 1) with the difference that plain passwords aren't used and the auth code can expire without any risk. Also problematic is the tracking of the auth code, which is no longer automated as in 2)</li> <li>Using OAuth is an option. But its quite difficult to set up. If there is no better way, maybe thats the only way?</li> <li>Securing the API like Amazon S3 as described in this <a href="http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/" rel="noreferrer">great article</a>. In short, he says that both server and client would know of a private key, which they would use to hash the communication. It will be like gangster handshake, that you only would trust the delivery boy, if he knows the gangsta handshake. Further down the comments someone asks:</li> </ol> <blockquote> <p>How to keep the private key “secure” in a pure HTML5 app ? </p> <p>You are exactly right; in a pure HTML5 (JS/CSS/HTML) app, there is no protecting the key. You would do all communication over HTTPS in which case you wouldn’t need a key since you could safely identify a client using a standard API_KEY or some other friendly identifier without the need or complexity of an HMAC.</p> </blockquote> <p>So in other words there is even no point of using the method for an web app in first place. And honestly I don't understand how this should work on the mobile device either. A user downloads our app and how do I send the private key from the iphone to the server? The moment I transferred it, it will be compromised.</p> <p>The more I am researching the more indecisive I am getting. </p> <p>I was hoping to ask some pros who have done this previously and could share their experience. Many Thanks</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload