I am the author of the RESTProvider. Still very early stage so I would not recommend to use it in production. I have been using it on several projects which are in production but I adapted most the code to specific needs. I will try to get a public stable API by the end of … Read more
When I was investigating how to implement security for my own WCF RESTful service I spent some time looking at how other popular services like flickr and amazon implement their own security – assuming that they’ve probably spent far more time thinking about it than I have. Flickr’s documentation in particular helped shaped how I … Read more
It is good practice to have mobile clients periodically renew their authentication token. This of course is up to the server to enforce. The default TokenAuthentication class does not support this, however you can extend it to achieve this functionality. For example: from rest_framework.authentication import TokenAuthentication, get_authorization_header from rest_framework.exceptions import AuthenticationFailed class ExpiringTokenAuthentication(TokenAuthentication): def authenticate_credentials(self, … Read more
There’s another, very secure method. It’s client certificates. Know how servers present an SSL Cert when you contact them on https? Well servers can request a cert from a client so they know the client is who they say they are. Clients generate certs and give them to you over a secure channel (like coming … Read more
If you are strictly using the HTTP authentication framework provided by RFC 7235 for your REST API, the correct HTTP code would actually be 401. From the RFC: The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a … Read more
I like the XSRF Double Submit Cookies method which mentioned in the article that @pkid169 said, but there is one thing that article doesn’t tell you. You are still not protected against XSS because what the attacker can do is inject script that reads your CSRF cookie (which is not HttpOnly) and then make a … Read more
Follow the example to avoid the out-of-order middleware hell that express makes it so easy to enter. Straight from the docs. Note how yours does not match this exactly. var app = express(); app.use(require(‘serve-static’)(__dirname + ‘/../../public’)); app.use(require(‘cookie-parser’)()); app.use(require(‘body-parser’).urlencoded({ extended: true })); app.use(require(‘express-session’)({ secret: ‘keyboard cat’, resave: true, saveUninitialized: true })); app.use(passport.initialize()); app.use(passport.session()); Docs cookieParser session … Read more
We’re exposing an API that partners can only use on domains that they have registered with us. Its content is partly public (but preferably only to be shown on the domains we know), but is mostly private to our users. So: To determine what is shown, our user must be logged in with us, but … Read more
First of all, REST is not a religion and should not be approached as such. While there are advantages to RESTful services, you should only follow the tenets of REST as far as they make sense for your application. That said, authentication and client side state do not violate REST principles. While REST requires that … Read more
How to handle authentication in a RESTful Client-Server architecture is a matter of debate. Commonly, it can be achieved, in the SOA over HTTP world via: HTTP basic auth over HTTPS; Cookies and session management; Token in HTTP headers (e.g. OAuth 2.0 + JWT); Query Authentication with additional signature parameters. You’ll have to adapt, or … Read more