Ask HN: How are you authenticating rest service clients
I've been playing with asp.net webapi and basic auth header (with user:pass in base 64).
If you have a angular or knockout front end, are you storing the login details in a cookie and passing in the header, or via a token? Where are you storing that token?
I am new to this sort of api / javascript front end and want to deal with security according to best practice.
What do you recommend?
12 comments
[ 3.5 ms ] story [ 31.8 ms ] threadIt's up to the client to store the token however it likes, but our reference implementation stores it as a cookie on the local machine.
If a new request comes from an IP address which doesn't match the encrypted token, or if there are system details in the encrypted token which don't match up with the one on file (we restrict sessions to single instances), then the request is rejected.
ServiceStack uses a HTTP cookie and supports a variety of authentication options out of the box, including basic auth.
https://github.com/ServiceStack/ServiceStack/wiki/Authentica...
We also use the easy hooks that ServiceStack offers to validate API developer / app tokens as well.
Social Bootstrap API is a backbone example:
https://github.com/ServiceStack/SocialBootstrapApi
https://github.com/ServiceStack/ServiceStack.Examples
http://stackoverflow.com/questions/15862634/in-what-order-ar...
It also has various other goodies, such as:
https://github.com/ServiceStack/ServiceStack/wiki/Metadata-p...
https://github.com/ServiceStack/ServiceStack/wiki/The-IoC-co...
https://github.com/ServiceStack/ServiceStack/wiki/Plugins
https://github.com/ServiceStack/ServiceStack/wiki/Clients-ov...
It also doesn't require ASP.NET and can run on Unix under Mono.
Try it, you won't go back to WebAPI is guarantee it!
E.g., if I log in today, then come back on a different computer, how do you know to give me the same token?
I've always copped out on REST auth and just gone client/server for authentication, with REST for everything else, for fear of fucking it up.
My question revolves around how one secures the username/password authentication over REST for those initial phases.
I've been just handling traditional logins in the old client/server, non-REST model, and then, on login, setting a cookie with the token, that I then use to authenticate the other application interactions.
For username/password over REST, is SSL good enough? I don't know, and I've never wanted to guess and be wrong. I've looked it up a couple of times, but advice on the subject ranges broadly between "don't ever do that" and "sure, it's fine."
https://news.ycombinator.com/item?id=6858572
> is SSL good enough
In my opinion, no.
It will protect the password from potential MITM attack (assuming the user hasn't accepted a bad SSL certificate & you are checking that the cert is valid).
However, if someone MITMs your app for the purpose of reverse engineering, they will very easily see that the username/password API call is available & there will be nothing tangibly stopping them from using it.
By using a client SSL certificate in addition to the normal server-side SSL for 'restricted endpoints', other apps will not be able to replicate the request & it will also not be visible even in MITM attacks where the certificate is trusted.
If the private key for your client SSL certificate is leaked/found/reverse engineered/disassembled though, that protection is gone. Assuming it is actually compiled into your binary though, this is not trivial.
1 - plain username/password
If you have an API call for logging the user in with a username & password which only your app should use, and you're (very) paranoid about someone else using that call, consider using a client SSL certificate.
Securing the request via a client SSL certificate will prevent the replication of that request by another app unless they go to the lengths required to actually disassemble your app.
2 - token generation
In the OAuth implementation for the system I'm currently working on, we decided to simply encrypt the ID of the row (plus a salt) for that access token, rather than generating a random string.
This has two benefits:
- it is extremely fast to look up the access token in the database, since we're using the primary key, rather than searching for a string
- no possibility of collisions
If this is a flawed approach, please let me know. We're using AES & are encrypting "AccessToken" + ID, so replay attacks from other encrypted data aren't possible.