Home/ Questions/Q 6985341
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T18:40:03+00:00

After creating a basic REST service, I’ve have come to the point where it

  • 0

After creating a basic REST service, I’ve have come to the point where it would be appropriate to add some sort of password protection, as I need to verify that my users are both properly logged and have sufficient permissions to execute whatever action they are going to.

The REST service will mainly be accessed from a Javascript-heavy frontend and with that in mind, I have come up with the two following alternatives to solve this:

  1. Make users login by first sending credentials to a /login page with POST. The page sets a session cookie wherein the user is
    marked as logged in, along with the permission level. On each
    following request, I verify that the user is logged in and his/her
    permission level. When the session expires, automatically or
    manually (logout, the user will have to re-logon).

  2. Temporarily save the credentials hashed locally and send the users credentials along every single request made by the user to verify the credentials & permissions backend on a per-request basis.

Are there more ways to solve this and is there something else that I should be concerned with?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m currently developing a REST API along with a client (written in javascript), below I’ll try to explain the methods used to protect the API against unauthorized access.

    • Make your REST API to require a Auth-Key header upon every request to the API, besides /api/authenticate.

    • /api/authenticate will take a username and a password (sent using POST), and return user information along side with the Auth-Key.

    • This Auth-Key is randomly generated after a call to /api/authenticate and stored in the backend users table with the specific user entry, a md5 hash of the remote ip + the user agent provided by the client.

    • On every request the value of Auth-Key, and the md5 sum mentioned, is searched for in users . If a valid user is found that has been active during the past N minutes the user will be granted access, if not: http return code 401.

    • In the REST client, first get the Auth-Key by posting to /api/authenticate, then store this value in a variable and send in on every future request.

    • 0