REST API Login approach REST API Login approach codeigniter codeigniter

REST API Login approach


codeigniter rest authentication

Since the connection is HTTPS, anything you send over the wire is secure (theoretically and provided you aren't being mitm'd). Not sure if the whole API is served over HTTPS (you didn't specify), so even though you could return the key as part of the login (while still under the umbrella of HTTPS), if the rest of the api isn't HTTPS, the key could be sniffed on the next request.

Sessions and cookies aren't typically part of a RESTful application; REST is stateless.

Something like a revolving key would be better for non-HTTPS (would work with HTTPS too). You login via HTTPS, server returns the api key, you use it on the next request, server returns new api key, you use it on the next request and so on. While it's better than a single api key over non-HTTPS, it's not perfect. If someone sniffs the response from one of the subsequent requests and you don't end up consuming that key, they can use it. This shrinks the attack vector to a non-HTTPS response from server to client since if a request from client to server is sniffed, the api key will have already been consumed by your legitimate request. However, more should be done to secure the api if you aren't serving it over HTTPS.

If it were me, I'd look into request signing + https. There's some talk of request signing here: https://stackoverflow.com/a/8567909/183254

There's also some info on digest auth at the Securing the API section of http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/

A pseudo-code example js function on the client

function get_calendar(){    var key = $('#api_key').value();    $.ajax({        type: 'get',        url: '/index.php/api/calendar?key=' + key,        success: function(response){            // show calendar            // ...            // set received api key in hidden field with id api_key            $('#api_key').value(response.api_key)        }    })}

Example controller method:

function calendar_get($api_key = ''){    if($api_key_matches){//verify incoming api key        $r = array();        $r['calendar'] = $this->some_model->get_calendar();        $r['api_key'] = $this->_generate_api_key();// generate or get api key     }     $this->response($r);}

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last