Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Craig, great question. I am no expert, but have <a href="http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/" rel="noreferrer">thought a lot about this</a>, so a few thoughts.</p> <p>Assuming we have to code against the lowest-common denominator, and using your requirement list (all 4 items) as my design seed, I would say the following:</p> <ol> <li><strong>No SSL</strong> - Since you cannot guarantee SSL, you will have to go with a public/private key HMAC design. Let's just assume all traffic is over HTTP and is infinitely sniffable, which means you cannot transport any secure tokens or signing keys at any point over the wire to the caller, which means they need them already, which means a private signing key a-la something like what AWS does (or 2-legged OAuth or what I outlined in that article above).</li> <li><strong>No Replay</strong> - Using a nonce to block replay doesn't require it be generated by the server, you can use any value here. The nonce just needs to be unique, needs to be included in your HMAC calculation (signature) and the server needs to remember it. For example, generate a UUID as a nonce on the client, sign the request, send it across to the server: <code>?sig=&lt;a mess of chars&gt;&amp;args=&lt;more stuff&gt;&amp;nonce=f81d4fae-7dec-11d0-a765-00a0c91e6bf6</code> -- the server will record <code>f81d4fae-7dec-11d0-a765-00a0c91e6bf6</code> as processed and never allow it to be used again. You can probably safely expire these from the DB after a reasonable amount of time (month? depends on velocity/usage/etc). TIP: This is a <em>perfect</em> use-case for using Redis SETs and the <a href="http://redis.io/commands/sismember" rel="noreferrer">SISMEMBER command</a>.</li> <li>(see #2, combined answer)</li> <li>The request <strong>must</strong> be signed by the sender in its entirety. The key to understanding "what needs to get signed" is as simple as: anything you DON'T include in the HMAC (signature) calculation can be manipulated by a man-in-the-middle (MITM). Everything included in the sig is secured and CANNOT be changed without the sig check failing. This is why the OAuth specs (both of them) have pedantic rules about byte-ordering arguments, and how to append them and how to combine them, but you sign the <em>entire</em> request. Some APIs say something as simple as "take the entire query string, and sign it" -- but sometimes you get too much in that signature, like the domain name or endpoint that you might not want in there and need to change it in the future (or maybe you do, you're call).</li> </ol> <p>Just so you know, the thing that makes secure API design <em>instantly</em> painful is the moment you don't require HTTPS for all communication. As soon as you do that, you have to turn to solutions like HMAC's/signing requests and nonce's. If your communication with the sever is secured over HTTPS and both can trust each other, life gets much better and you can do things like simple basic auth and just give the server an API_KEY with every request to identify who (or what) is making the request.</p> <p>Hope that helps! It seems you've looked into this quite a bit already, so my apologies if you already knew all this and it didn't help.</p>
    singulars
    1. This table or related slice is empty.
    1. PO2-legged auth standards in 2013 - should we use oAuth2?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USRiyad Kalla
    1. USRiyad Kalla
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO2-legged auth standards in 2013 - should we use oAuth2?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COHMAC is the way I was leaning as well, so I'm glad we are on the same page... but my frustration is with oAuth 2 being presented as the solution for everything, but I really don't think it is (too complicated, and too generic to actually be implemented by everyone in exactly the same way)... I've +1 your answer, but still hopeful for a fully spec'd standard.
      singulars
      1. PO
      1. USCraig Francis
    2. COAlso, with the server recording the nonce (to avoid re-play), it could be deleted after a day, as long as you keep the UTC timestamp in there (as you also mention in your linked post).... but I'd suggest longer so you can have a log of whats happened on the server.
      singulars
      1. PO
      1. USCraig Francis
    3. CO@CraigFrancis You are absolutely right, OAuth 2 has turned into a monster and not such a clear spec (why one of the original authors left). I know you are looking for a spec-compliant answer, but keep in mind that not even AWS, one of the heaviest used APIs out there, follows any spec -- they did their own HMAC-based thing. I am sure it was because OAuth wasn't around back then (en-mass), but just pointing out that doing your own way, as long as it is clearly defined and easy to follow, isn't so bad.
      singulars
      1. PO
      1. USRiyad Kalla
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload