6

There are three options:

  1. Header
  2. URL
  3. Body

I haven't done too much work with authentication but am building an API that will need it. What I have done previously is parse the API key (e.g sha-256) in the body of a post request.

But I have just realised that you can't do this with GET requests, right? So I need to find the most secure way of authenticating each API request.

I was thinking, would it be more secure to pass the user's authenticationkey (which is stored in the users database table) as well as an oAuth key with each request? This way any hacker would need two keys to get into the system?

How should I go about this?

Example:

To authenticate every request, would I have the router check each request for an API key?

Sort of like this:

app.all('/api/v1/*', [require('./middlewares/validateRequestAPIKEY')]);
BSMP
  • 4,596
  • 8
  • 33
  • 44
James111
  • 15,378
  • 15
  • 78
  • 121

1 Answers1

2

I had design few API for the mobile applications and following is what I have implemented for my clients:

The Keys will be passed in header

On server side I will check for keys on each API call for validation, in some API you might need to skip the validation (login is one example)

Here are my implementations

1) Token/keys expiration is not required:

  • User register into the system
  • Server will generate a unique key for user store into system (you can just give a public key to client for encryption and store a private key in server for decryption)
  • Client will send this key in each subsequent request (you can encrypt the key with some other algorithm which can be decrypted at server for additional security)

2) When token requires expiration:

  • Create an API which will generate keys for limited period of time, client will call this API to get the key, the API will check if client is a valid user and return a key for specific period of time.
  • In next API request the client will send the keys in header, server will check if token/keys is valid/expired, if valid perform the operation else send response to client to generate keys again.
  • You can again encrypt the keys with other algorithm for additional security.

Hope that helps

Harshal Bulsara
  • 7,898
  • 4
  • 43
  • 61
  • Nice! Most, if not all mobile apps never make you login again. This must mean that there is no expiration date on there keys? I'm thinking I'll use something similar to option 2 but without the expiration! – James111 Dec 21 '15 at 03:53