what are best practices for Session management for REST API
8,554 views
Skip to first unread message
Krishnakant
Jan 6, 2016, 12:42:38 AM1/6/16
to pylons-discuss
Dear all,
I wish to know what are the best practices in RESTful api when managing user authentication and other persistent data?
I understand as a newbie that REST = totally stateless = no session persistance on server.
So how do I do the authentication?
I feel that on first time login the user id must be sent back in the response and then onb every request the id should be passed.
So before doing any activity related to CRUD, the server must check if a user with that id exists and if he is an admin or a normal user (as is required in my case).
Is that Correct?
if so then can I do this with more than one parameter?
I also need the orc code for the given organization, as the service may be used by many organizations who share a common database.
Happy hacking.
Krishnakant.
I wish to know what are the best practices in RESTful api when managing user authentication and other persistent data?
I understand as a newbie that REST = totally stateless = no session persistance on server.
So how do I do the authentication?
I feel that on first time login the user id must be sent back in the response and then onb every request the id should be passed.
So before doing any activity related to CRUD, the server must check if a user with that id exists and if he is an admin or a normal user (as is required in my case).
Is that Correct?
if so then can I do this with more than one parameter?
I also need the orc code for the given organization, as the service may be used by many organizations who share a common database.
Happy hacking.
Krishnakant.
Paul Everitt
Jan 6, 2016, 6:58:51 AM1/6/16
to pylons-...@googlegroups.com
Doing RESTful APIs is indeed a little bit different than regular web interactions. Instead of doing credentials in a cookies and sessions, people are increasingly doing them as tokens sent in HTTP headers across domain boundaries. I’ll describe that below, JSON Web Tokens (JWT):
Here’s how the interactions work:
- You send a request to the API with no credentials. It replies back with with an HTTP forbidden.
- Your API client gets the forbidden and knows it needs to authenticate. It also knows the URL to authenticate against.
- It sends a POST to that URL with the login information. The server gets that information — perhaps a username, password, and your “organization” — and validates it.
- If valid, the server returns a response body containing the token, which is a payload wrapped in a secure envelope.
- The client gets the token and (here’s the first important difference) stores it. In memory, on disk…somewhere.
- The client then issues the first request again, this time sending the token in an HTTP header.
- The server gets the token and cryptographically unpacks it, then validates if the token is still valid (age, etc.)
Read the article for details on tokens.
In Pyramid, you can use the nice pyramid_jwtauth package to handle the JWT part, but it presumes you understand setting up Pyramid authentication. It also doesn’t automate things such as handling expired tokens and re-issue. I did a sample applicatino with a pyramid_jwtauth backend and an Angular frontend:
—Paul
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at https://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
Luis Aguirre
Jan 6, 2016, 6:59:04 AM1/6/16
to Pylons discuss
Hi Krishnakant,
I don't know if this is the best way, but it works pretty well for me:
* When my webapp POST user and password to /api/login, if it's valid, it returns a token_auth in reply. This token is persisted in the server (redis in my case) as key for user data (as department_id, tenant_id, name, role, etc)
POST: /api/login -> {"username": "myusername", "password": "yourpassword"}
REPLY:
{
"login": "myusername",
"token": "b89a187ac94e4728a47cfe1baf2a68f4"
}
When I recive the token, I store it in my webapp in a cookie or local storage.
* Then, you must send this token in every request, you can send it in two ways:
- In header, using Auth-Token. (I use Restangular and it's easy to configure defaults headers)
- In the url, using auth-token for example: www.mydomain.com/api/items?order_by=price&auth-token=b89a187ac94e4728a47cfe1baf2a68f4
That's all.
Make sure you use HTTPS!
Best regards,
Luis Aguirre
Paul Everitt
Jan 6, 2016, 7:02:32 AM1/6/16
to pylons-...@googlegroups.com
On Jan 6, 2016, at 6:58 AM, Luis Aguirre <agui...@xuar.com.ar> wrote:- In header, using Auth-Token. (I use Restangular and it's easy to configure defaults headers)
Rectangular, been a while since I heard that. I used it for a long time.
As a suggestion, give a look at satellizer for switching to client-persistent, standard-JWT tokens:
It’s a *great* example of an open source project: been around a long time (at least in Angular terms), lots of bug fix and feature releases, great docs, and good examples (Python backend in Flask, for example).
—Paul
Jonathan Vanasco
Jan 6, 2016, 11:21:33 AM1/6/16
to pylons-discuss
You can also use oAuth tokens, or even a combination of an account identifier and message digest that is using a shared-secret.
Luis Aguirre
Jan 6, 2016, 12:31:28 PM1/6/16
to Pylons discuss
Hi Paul,
I will check it! Thanks!
Luis Aguirre
--
Reply all
Reply to author
Forward
0 new messages