I have implemented web service using rails server.
The server uses rails default authentication scheme for user login.
Now, I am developing native mobile app for the service and the app is communicating with server using json requests and responses.
Since the native mobile app is safari based, the authentication works fine as session id can be set into cookie but I am concerned that it is under the risk of CSRF attack since rails does only deal with such attacks for html request using CSRF token.
My questions are followings:
– Do you know any way of working around this?
– Should I implement different controllers for mobile app since it is more like closed (private) API? If so what is the standard way of doing authentication?
Many Thanks
Basic HTTP authentication over HTTPS should do the trick.
Client code executes json API requests as normal and sets the
Authenticationheader with the basic credentials (assuming client app has logged in, and has access to username/password).This is essentially plaintext, but will be safe from eavesdropping if transmitted using HTTPS.
Rails has some built in helpers for checking username/password.
Alternatively, 2-legged OAuth could do the trick as well, but is more complicated to implement.