I've been doing this Java backend for an iPhone app (Jersey REST mainly) and implemented some web services like sign up and log in. Obviously I've needed params like username and pin. Since this services change state in the DB I've made them as POST and I've used #FormParams Jersey annotation for the params. The guy who worked on client kept sending the username and pin in the headers and it took a little while to discover where's the problem.
is this the standard, to put authentication-like data in headers? How do you do it?
if you use the standard http authentication mechanisms like Basic Authentication
then the credentials are sent in the http header
Something like this
POST /private/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
if you planning to expose this backend through an unsecure network, i would advise you to use https - as it encrpts your header
But if you are implementing your own authentication mechanism - then you can pass the credentials anywhere you like (header or body), that way- your backend would know where to look for the username and password.
check these links for reference
Basic authentication
http authentication
Related
I am trying to build an API server for http and started off with djangorestframework and someone suggested using djangorestframework-jwt. However, I saw this from their homepage.
Unlike some more typical uses of JWTs, this module only generates authentication tokens that will verify the user who is requesting one of your DRF protected API resources. The actual request parameters themselves are not included in the JWT claims which means they are not signed and may be tampered with. You should only expose your API endpoints over SSL/TLS to protect against content tampering and certain kinds of replay attacks.
Does djangorestframework-jwt work for http and https? Is it safe? If not, what is the alternative? Is this the approach for authentication in a REST API?
Its http that isn't safe, nothing to do with the authentication method.
Initially, the user has to POST their login credentials. If those are sent via a http connection, anybody in between can read their username and password.
What's more, if you send the JWT token over http, somebody in between may just grab it and re-use it to authenticate their own queries against your API, until the token expires.
Good rule: if any kind of authentication is involved, use https.
I was wondering why my Authorization Header is not recognized. When I pass it to my server web app endpoint.
However, when I do it on my localhost it works well
These are my request headers:
PS.
I am using Django Rest Framewok on my backend and what you see is Google Chrome's Advanced REST Client for testing my APIs. Also please take note that the CORS HEADERS are allowed and Token Authentication is the method I'm Using as credentials for my endpoints.
I have to design an API that will support browser plugins only (latest version of Chrome, Firefox, IE). The API will be served over HTTPS. The API will be using a cookie-based access control scheme.
I am wondering what tactics to employ for CSRF prevention. Specifically, I want my API only to get requests from my own browser plugin itself and not from any other pages/plugins.
Would I be able to:
Assume that in most cases there would be an Origin header?
Would I be able to compare and trust the Origin header to ensure that the requests only come from a white-listed set of Origins?
Would this be compatible across the board (Chrome/Firefox/IE)?
I'm aware of multiple techniques used to prevent CSRF, such as the Synchronizer Token Pattern, but I would like to know in my limited scope above, if simply checking the Origin header would be sufficient?
Thanks in advance!
Set a custom header like X-From-My-Plugin: yes. The server should require its presence. It can be a constant. A web attacker can either:
make the request from the user's browser: this sends the cookie, but they can't send the custom header cross-origin; or
make the request from a different HTTP client: they can send the custom header, but they can't send the cookie because they don't know it
Either way, the attacker's request won't have both the cookie and the custom header.
I have server with some resources; until now all these resources were requested through a browser by a human user, and the authentication was made with an username/password method, that generates a cookie with a token (to have the session open for some time).
Right now the system requires that other servers make GET requests to this resource server but they have to authenticate to get them. We have been using a list of authorized IPs but having two authentication methods makes the code more complex.
My questions are:
Is there any standard method or pattern to authenticate human users and servers using the same code?
If there is not, are the methods I'm using now the right ones or is there a better / more standard way to accomplish what I need?
Thanks in advance for any suggestion.
I have used a combination of basic authentication and cookies in my web services before. In basic authentication you pass the user name/password encoded in the HTTP header where it looks something like this.
Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
The string after the word "Basic" is the encoded user name and password that is separated by a colon. The REST API can grab this information from the HTTP header and perform authentication and authorization. If authentication fails I return an HTTP Unauthorized error and if they are authenticated but are not authorized I return an HTTP Forbidden error to distinguish between failure to authentication versus authorization. If it is a web client and the person is authenticated then I pass the following in the HTTP header with a request.
Authorization: Cookie
This tells the web service to get the cookie from the HTTP request and use it for authorization instead of doing the authentication process over again.
This will allow clients that are not web browsers to use the same techniques. The client can always use basic authentication for every request, or they can use basic authentication on the initial request and maintain cookies thereafter. This technique also works well for Single Page Applications (SPAs) where you do not have a separate login page.
Note: Encoding the user name and password is not good enough security; you still want to use HTTPS/SSL to secure the communications channel.
I have created a simple server accepting tcp and http requests and parsing them in C++. Now I want to create an openID login system which would support Google open ID. I use boost and Curl in my server. Currently I have no ssh in my server except curl can make ssh requests.
So what do I have:
html get/posts requests parsing into maps of map<string, string>
curl with ssh support
file returning server functionality (with modified response arguments)
What else shall I implement to support the possibility of google OpenID login? (I need only some basic unique identifier from user - not his\her name or any other details)
What shall be my steps in order to get unique user ID in server that recieved request with something like openIdLogin :https://www.google.com/accounts/o8/id in it?
I need some simple, readable instructions like once provided by google for reCAPTCHA Verifying the User's Answer Without Plugins - where shall user be redirected, what shall be in Request, Response etc. (not pure Specs)
From the open ID wiki
http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong
or from Google's own doc
http://code.google.com/apis/accounts/docs/OpenID.html#Interaction
What it sounds like you are looking for is Google's Federated Login. What it basically amounts to is sending some url requests to Google's servers and providing a callback url where you want the user to return to after they login on Google's servers.
Towards the bottom of the page there are some sample requests and responses that should help you get started.