How to send password to REST service securely?

StackOverflow https://stackoverflow.com/questions/19514538

Question

I am using Flask-Restful to build a REST service. The iOS device will then connect to this REST backend to sync the local data.

The service will be accessed over a https connection.

The REST service is stateless and the user has to authenticate upon each request. Hence the username and password will be sent in clear format to the REST service. The backend will hash the password and check against the existing hashed password in the database.

api.add_resource(Records, '/rest/records/<string:email>/<string:password>/<string:ios_sync_timestamp>')

Now one problem I see with this approach is that the username and password are in clear format as part of the GET url. The server log will obviously track this. Now if my backend was ever hacked into, the log files would compromise all the usernames and passwords.

What is the best solution to this? I was thinking maybe sending username and password as POST arguments, but how do I that with GET requests then?

class Records(Resource):
    def get(self, email, password, ios_sync_timestamp):
        pass
    def post(self, email, password, ios_sync_timestamp):
        pass
Was it helpful?

Solution

To authenticate each requests with a username and password like you want, you should use: Basic Authentication.

To use it, it's pretty simple and it works with all HTTP methods (GET, POST, ...). You just need to add an HTTP header into the request:

Authorization: Basic <...>

The <...> part is the username:password encoded in base64.

For example, if your login is foo and your password is bar. The HTTP header should have this line:

`Authorization: Basic Zm9vOmJhcg==`

Through your HTTPS connection, it's secure.

EDIT: Using Flask, you can use Flask HTTP auth to achieve this "automatically".

OTHER TIPS

Another solution instead of the Basic Auth in each call as suggested by Sandro Munda is to generate an API Key using a POST to first check credentials request and then passing it in the request headers. Then you can verify it in each API handler for a strict-grained checking or application-wide using a @before_request handler.

Workflow

  • Client sends a POST to the server with the credentials (username/pass)
  • Server replies with an API Key. Like an hexdigest of something secret.

from now on

  • Each time the client needs to send an API request it adds an header (let's call it X-API-Key with the API Key.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top