Ask HN: REST and Authentication

5 points by Davertron ↗ HN
So there's been something I've been wondering about for a little while now with respect to REST and authentication. First let me set up a basic scenario, and then I'll describe the problem.

Let's suppose that you have have a simple app that allows you to track your book collection. So you have a books table, and you want to expose that using a RESTful web app. My question is this: how would you restrict me to only mucking with my own collection?

I'm sorry if this seems really simple, but I've never come across an example that deals with this. If I want to expose an API to my users for my site, and I don't want them to be able to just willy-nilly muck around with all of the data in my site, how do I deal with this?

3 comments

[ 3.9 ms ] story [ 18.2 ms ] thread
The Amazon Web Services (AWS) authentication system is a good example. It uses an HMAC sent in the request headers, so that each request is effectively signed by the sender:

http://docs.amazonwebservices.com/AWSSimpleQueueService/2006...

This allows authentication without any sort of server-side session state, since each request can be authenticated individually. So it can be more horizontally scalable than a stateful session, but it may also be more CPU-intensive on both server and client, since they need to compute a cryptographic hash for every request. Also, the lack of a widely-reviewed standard library for HTTP+HMAC authentication means that you might end up rolling your own, which would probably have security holes that you don't catch, like all the recent timing attack vulnerabilities: http://news.ycombinator.com/item?id=760917

I would suggest simple using the HTTP basic auth.

http://en.wikipedia.org/wiki/Basic_access_authentication

Simple but effective. One example of such a usage is mercurial: which uses HTTP basic auth for remote pushes to your web-based repository :) As that is a similar sort of thing it sounds ideal.

Agreed. HTTP Basic doesn't do everything, but at least the limitations are well known and the implementations are well understood. Combine it with SSL and you have reasonably secure request authentication.