I’m developing a very basic RoR app that will essentially only be used by 2-3 people within my organization. I have some other apps (written in Perl) that from time to time need to request a JSON object from the RoR app. I need to prevent unauthorized access to this request, but I don’t need anything fancy since only my apps will be requesting access. Is it secure (enough, for this purpose) to just require that the app requesting POST some pre-determined “password,” and have the RoR app reply with the JSON object only if that password is supplied in the POST request? Are there any other suggestions out there for some easy and secure method to accomplish this? I am very new to RoR.
Thank you!
Jeff
You can implement far more fancy solutions, but your way is quite effective. You can hide the transmission of the password, by simply making your app use SSL, and it’ll be more secure (many sites still transmit credentials in plain text) than many web services. And since the credentials are limited to use between the client and the server, you can make it as long as you’d like which will limit the risk of a brute-force password attack.
If you want to go to something more exotic, I’d recommend using the gem ‘api_auth’, which adds a signature to your URL params that is a hash of your entire request and a secret key. The gem will generate the signature on the client and then authenticate the signature on the server. This is a very strong solution. In fact, you don’t need SSL, unless you don’t want anyone to see the URL and params itself. But the signature is unique to the exact request and all of the request params including request.ip, which makes the request unusable by anyone but the originator. A side note–the signature is appended to the request header, so you won’t see anything different in your url or in your console log.