How to implement security in REST calls in .NET using NANCY and RESTsharp?

Question

How do I add a security layer to my REST application, I am both in control of my server and client, I am using NANCY as a server and RESTsharp as client.

I have hard time understanding how to make calls secure if REST support to be stateless.

Thank you

Answer 1

Christian's comment may be sufficient for your needs. It shows how to use the Nancy add-ins for Basic or FormsAuth and RESTSharp does support Basic auth right out of the box.

I've been building a Nancy driven REST API at work for quite some time now, we've used both RESTSharp as well as plain HTML+JS as clients and we chose to implement our own session based authentication (partly because those add-ins didn't exist when we implemented). However what is nice about it, is how simple it is to use regardless of what the client supports. I'll quickly explain how it works.

The client sends their username and password (or if you like, identifier and secret key) to create a new session resource using POST /sessions (use HTTPS). This resource contains a session key which can be used for subsequent calls. The session expires after X minutes of inactivity.

Each call made to the service requires a valid session key (except creating a session). The key is provided either as a cookie or in the query string. When using RESTSharp we usually set this as a cookie and just keep reusing it unless it's expired.

Finally, the session can be destroyed by calling DELETE /session/{key}.

This is a simple, but effective (assuming HTTPS) way to secure a REST API.

Alternatively you could implement OAuth, which RESTSharp also apparently supports out of the box.