Databases
StackOverflow2013
Postsdbo
PORESTful API with HMAC: how to manage user authentication
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PORESTful API with HMAC: how to manage user authentication
    primarykey
    data
    text
    <p>I am developing a RESTful API for my web and mobile applications. My intention with this API is to store all data of users so that my applications can access them easily. It is like Google's solution: you don't have a separate account for Gmail and Youtube, but a shared one.</p> <p>For every request (that needs USER authentication, not only APPLICATION authentication) the following workflow is applied:</p> <ul> <li><p>Application determines the message of the request:<br/> MESSAGE= URL + HEADERS + BODY</p></li> <li><p>Application calculates the signature of the request:<br/> SIGNATURE= HMAC(HMAC(MESSAGE, user_password), application_key)<br/></p></li> <li><p>Application sends the request via HTTP/HTTPS:<br/> REQUEST= MESSAGE + Signature</p></li> <li><p>API recreates the signature to authenticate both user and application:<br/> SIGNATURE= application_id/user_id HMAC(HMAC(MESSAGE, user_password_from_database), application_key)</p></li> </ul> <p>Where e.g.:<br/></p> <ul> <li><p>application_id = 1</p></li> <li><p>user_id = 123456</p></li> <li><p>user_password= 'mypass'</p></li> <li><p>user_password_from_database= '$2y$10$1234567890abcde...'</p></li> </ul> <p>The problem with this approach is that passwords in the database are irreversibly hashed (with BCrypt), and that's why I can't use them when I want to the recreate the signature of the request.</p> <p>My question is how it can be accomplished yet? Is sending user_password_from_database to the application via HTTPS a good practice? My basic workflow would be:</p> <ul> <li><p>User logs in to the application with user_email and user_password</p></li> <li><p>Application sends these credentials via HTTPS to the API</p></li> <li><p>API responds with user_id and user_password_from_database if credentials are OK</p></li> <li><p>From now, application can use these data to determine SIGNATURE.</p></li> <li><p>From now, API can recreate SIGNATURE because user_password_from_database is the secret key, not user_password</p></li> </ul> <p>How secure is this algorithm? Does HTTPS prevent abuse of user_password_from_database?</p> <p>Footnote: the signing method detailed above is just an example, indeed I took Amazon's <a href="http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html" rel="nofollow">AWS Signature Version 4</a> algorithm and tried to add some user authentication to it.</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USMáté Kocsis
    1. USMáté Kocsis
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PORESTful API with HMAC: how to manage user authentication
      1. This table or related slice is empty.
      1. VTUpMod
    1. COIt seems to me that you are trying to reinvent OAuth here. In principle what you propose is exactly what OAuth does: the user provides credentials, the server authenticates the user and provides an access token to the app. The app then uses this access token for as long as it's valid to authenticate to the server all the subsequent API calls. You just happened to pick access token == hashed user password, which is easier to do but also "worse" in the sense that a password change will force the token to be invalidated.
      singulars
      1. PORESTful API with HMAC: how to manage user authentication
      1. USJon
    2. COOf course the mechanics of the above solution are much worse than OAuth because of all the information that is exposed (app/user id), no protection from replay attacks etc. You should really look into OAuth 1.0, or if HTTPS is mandatory then OAuth 2.0 (HTTPS takes care of a lot of things and makes your life easier).
      singulars
      1. PORESTful API with HMAC: how to manage user authentication
      1. USJon
    3. COThanks for your comment, I will look at OAuth more deeply! Just to note: my solution is entirely based on Amazon's AWS Signature Version 4 (so it prevents replay attacks, too). The only thing I wanted to add to it, is some user authentication.
      singulars
      1. PORESTful API with HMAC: how to manage user authentication
      1. USMáté Kocsis
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload