Saturday 3 August 2013

Authentication in REST Service

07:00  Mulianto Phang  No comments

Today I try to make authentication working in accessing REST services. I use ExpressJS to server the REST service, of course with NodeJS.

There are some options I found to be interesting and to be considered and I will share and Document it in here. Hope this will be useful for other programmers out there.

There are 2 options I explore to make authentication :

  1. Include the authentication information in the query url.
    For example, http://api.myservice.com/api/v1/tweet/?user=themaster&apikey=9294023984987249
    This is the easiest way to generate in any application and is common in all web application
  2. Include the authentication information in the HTTP request Header.
    With this method the credential will be available in the request header from client. This one need some digging and knowledge to generate the HTTP header. For example :
    1. Accept:
      application/json, text/plain, */*
    2. Accept-Encoding:
      gzip,deflate,sdch
    3. Accept-Language:
      en-US,en;q=0.8
    4. Authorization:
      basic bXVsaWFudG86YmEzMWRkNGNkZTRjNGNhMzRhMGMyODMyZDJjZDQxZTU1NmM0YWRiMg==
    5. Connection:
      keep-alive
With these options, there are some good and bad included in the implementation. Lets dig more into it and analyze it based on our needs.
First, consider caching by the public cache. If your url contain query parameter, it will not be cached. So the first options will be not benefit from public cache server which usually available near the user provided by the ISP provider or company infrastructure or local cache.
With the second option, there will be no query parameters in the url, so any HTTP Get operation will benefit from caching.

Second, consider the security, you must use HTTPS if you don't want any one who can analyze traffic get your credentials. If you got your REST service a HTTPS , then this is ok. no need to think about Man in The Middle attack.
Also with the second options, actually you still have security issue, because the authorization encoding only using Base64 method which can be generated back to plain text. But with this, at least your credentials not shown up in the URL wildly.

So with this finding, I consider to use the second options, which is using HTTP Request Header Basic Authentication. But I wont use the challange response method to the user requesting, because the request will come from a XHR ajax request. So just return 401 if the authorization header is not there or not match.

If you want your user input the credentials, just challange the request with WWW-Authenticate HTTP HEADER response.

And also we will got cleaner URL without the query parameter exposed to blind eye scanning the HTTP request.

Next I will post the code to do this basic authentication in server and in AngularJS application.

Stay Tuned.
 

Posted in:

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More