Ask HN: REST and Authentication
So there's been something I've been wondering about for a little while now with respect to REST and authentication. First let me set up a basic scenario, and then I'll describe the problem.
Let's suppose that you have have a simple app that allows you to track your book collection. So you have a books table, and you want to expose that using a RESTful web app. My question is this: how would you restrict me to only mucking with my own collection?
I'm sorry if this seems really simple, but I've never come across an example that deals with this. If I want to expose an API to my users for my site, and I don't want them to be able to just willy-nilly muck around with all of the data in my site, how do I deal with this?
3 comments
[ 3.9 ms ] story [ 18.2 ms ] threadhttp://docs.amazonwebservices.com/AWSSimpleQueueService/2006...
This allows authentication without any sort of server-side session state, since each request can be authenticated individually. So it can be more horizontally scalable than a stateful session, but it may also be more CPU-intensive on both server and client, since they need to compute a cryptographic hash for every request. Also, the lack of a widely-reviewed standard library for HTTP+HMAC authentication means that you might end up rolling your own, which would probably have security holes that you don't catch, like all the recent timing attack vulnerabilities: http://news.ycombinator.com/item?id=760917
http://en.wikipedia.org/wiki/Basic_access_authentication
Simple but effective. One example of such a usage is mercurial: which uses HTTP basic auth for remote pushes to your web-based repository :) As that is a similar sort of thing it sounds ideal.