I am a beginner web-developer and I have some doubts about the security of an API that I developed. It’s a simple web-service that requires authentication in order to access/modify data.
I am wondering what are the best practices for authenticating users via HTTP.
Currently my app works like this:
User authenticates through an API request (POST) which requires the username and the password. The response contains info about the user and a TOKEN which will be used in the future for further requests.
My concerns: I don’t know if the auth request should be POST. It sounds more like a GET, because POST should create something (at least this is the convention in Ruby on Rails). And then, even with POST or GET, the information is still “visible” during the transfer of the information. I heard something about HTTPS – how does that solves the problem?
The token is generated at user creation time – and remains the same in time. Is this bad? Should the token be generated again after a “logout”? I’ve seen APIs that use an API_KEY along a token for authentication. How does that work?
I have some GET requests to retrieve information about something. With this request I pass as an parameter the token retrieved from the authentication request. Is this ok? I mean that token is sensitive information.
Where can I find more information about these concerns of mine (book, article, w/e)?
HTTPs encrypts all traffic to your web site, and so would hide any get and post requests. It requires you to purchase an HTTPS certificate (which are cheap), and get a non-shared IP to host on (not so cheap). (If anyone talks about self signed certificates – well, it’s possible, but ill advised if external people want to talk to your service).
Having a long lasting login token can be bad, it depends what sort of non-repudiation you want. If someone can log in 2 years ago, and continue using a token how do you know it’s still the original requestor? Tokens should expire and have a way to re-request.
API keys generally work on a shared secret which is swapped out of band (by getting it from the hoster’s web site generally). A custom authentication scheme and header is used, and must be calculated and checked for each request. This doesn’t require HTTPS – the shared secret is used to generate the authentication header, but isn’t sent with it, so the secret doesn’t travel with each request. Of course you need to write this code, and figure out what you want the process to be. I’d generally avoid this unless you know what you’re doing – you need to take a canonical representation of the request, sign it, then use that as the header. It’s not complicated, but it’s not simple either.