Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>In order of increasing security / complexity:</p> <h2>Basic HTTP Auth</h2> <p>Many API libraries will let you build this in (Piston in Django for example) or you can let your webserver handle it. Both Nginx and Apache can use server directives to secure a site with a simple b64encoded password. It's not the most secure thing in the world but it is at least a username and password!</p> <p>If you're using Nginx you can add a section to your host config like so:</p> <pre><code>auth_basic "Restricted"; auth_basic_user_file /path/to/htpasswd; </code></pre> <p>(Put it in your <code>location /</code> block)</p> <p>Docs: <a href="http://wiki.nginx.org/HttpAuthBasicModule" rel="noreferrer">http://wiki.nginx.org/HttpAuthBasicModule</a></p> <p>You'll need to get the python script to generate that password and put the output into a file: <a href="http://trac.edgewall.org/browser/trunk/contrib/htpasswd.py?format=txt" rel="noreferrer">http://trac.edgewall.org/browser/trunk/contrib/htpasswd.py?format=txt</a></p> <p>The location of the file doesn't matter too much as long as Nginx has access to it.</p> <h2>HTTPS</h2> <p>Secure the connection from your server to the app, this is the most basic and will prevent man in the middle attacks.</p> <p>You can do this with Nginx, the docs for it are very comprehensive: <a href="http://wiki.nginx.org/HttpSslModule" rel="noreferrer">http://wiki.nginx.org/HttpSslModule</a></p> <p>A self-signed certificate for this would be fine (and free!).</p> <h2>API Keys</h2> <p>These could be in any format you like but they give you the benefit of revoking access should you need to. Possibly not the perfect solution for you if you're developing both ends of the connection. They tend to be used when you have third parties using the API, eg Github.</p> <h2>OAuth</h2> <p>OAuth 2.0 is the one to go with here. While I don't know the underlying workings of the spec it's the defacto standard for most authentication now (Twitter, Facebook, Google, etc.) and there are a ton of libraries and docs to help you get those implemented. That being said, it's usually used to authenticate a user by asking a third party service for the authentication.</p> <p>Given that you doing the development both ends it would probably be enough to put your API behind Basic HTTP Auth and serve it over HTTPS, especially if you don't want to waste time messing around with OAuth.</p>
    singulars
    1. This table or related slice is empty.
    1. POSecuring my Node.js app's REST API?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USjturnbull
    1. USghickman
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COGreat answer. I see that OAuth seems to be the standard. But there seems to be 2-legged OAuth 1.0, 3-legged OAuth 1 and then this OAuth 2... So I should look into OAuth 2? ...I was thinking of HTTPS/SSL, but I'm not sure how something like an iPhone app could transmit over that (is that even possible)? ...another question with OAuth, can I be a provider as well as consumer, or do I need to - like you say - need to use a third-party to authenticate? In this situation, using a third-party wouldn't be too preferable, it's not really that sort of app. Thanks for the detailed reply!
      singulars
      1. PO
      1. USlittlejim84
    2. COOAuth 2 is the updated OAuth. I believe 1.0 is now considered "bad". iPhone will definitely work over HTTPS (Github in mobile Safari!).
      singulars
      1. PO
      1. USghickman
    3. COYou *can* be both but typically OAuth is used to authenticate using a third party. As @mjtamlyn pointed out below, using your current auth system is certainly a possibility. I've updated my answer with some steps for some of the parts.
      singulars
      1. PO
      1. USghickman
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload