Tips designing Restful API - Is this authentication logic reasonable?

Question

I am working to provide a REST API for a service. One issue that I am struggling with is the authentication aspect. I have inspected some other libraries and I noticed a strategy as follows:

Server side:

app.post("get_dogs"){
    SecretKey = Authorization Header
    if SecretKey in Database{
        dogs = Database[SecretKey]
        return dogs;
    }
    return "Not found!!";
}

Client Side:

request = post("www.random.com/get_dogs")
request.authentication_header = SECRET KEY
response = request.send()

My question is: is this technique secure? I am sending the secret key in the authentication header. If someone seen the secret key, then they could have access to that user's account. One solution could be hashing, but then again - I am not quite sure.

Any advice would be greatly appreciated!

An authentication key is basically a password, so the basic rules of "keep it encrypted on the wire" and "don't share it with untrusted actors" still apply. — Mitch, Feb 15 '15 at 17:47
Interesting. I seen one service use the approach that I mentioned. Instead maybe sending a JWT token as the authentication header would be more appropriate. — , Feb 15 '15 at 17:49
@unknown: depends on what the token is for and what types of client you have. See this for some ideas/explanations: http://stackoverflow.com/questions/20870779/do-we-need-a-security-signature-for-the-web-service-response/20912293#20912293 — Bogdan, Feb 15 '15 at 17:54

score 0 · Answer 1 · answered Feb 16 '15 at 23:35

0

Use a standard like OAuth2 for authenticating requests. Don't invent your own. See http://soabits.blogspot.dk/2014/02/api-authentication-considerations-and.html for a longer discussion of the problem.

answered Feb 16 '15 at 23:35

Jørn Wildt

4,274
1
21
31

score -1 · Accepted Answer · answered Feb 17 '15 at 09:17

I think that this post could help you : https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/. It describes the different approaches to implement security within RESTful applications.

Hope it helps,

Thierry

Tips designing Restful API - Is this authentication logic reasonable?

2 Answers2