Generating and authenticating by API keys

50 views
Skip to first unread message

Neil Cauldwell

unread,
May 30, 2009, 6:02:11 AM5/30/09
to rubyonra...@googlegroups.com
I'm trying to get my head round offering up an API for a RESTful app; is
it just a matter of;

1. adding an api_key column to the resource on which incoming requests
will made (the app has a User model but I think the API authentication
will need to be done on the Site model to which Users belong),

2. generating the API key using Digest::SHA1 or similar (the last dev
used SHA1 for the passwords),

3. authenticating via API keys in a filter (perhaps something along the
lines of option 2 here
http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/).

Unfortunately, the authentication lib is custom (I would much prefer to
be working with one of the community adopted plugins such as Authlogic,
which appears to have API key authentication anyway).

Am I missing anything or does that sound like a reasonable starting
point?
--
Posted via http://www.ruby-forum.com/.

Matt Jones

unread,
May 31, 2009, 11:59:58 AM5/31/09
to Ruby on Rails: Talk
If your site is like most, API keys are handed out to users. So it
would probably be best to just store the key on the user model, and
then do a User.find_by_api_key(..etc...) in your before_filter.

--Matt Jones


On May 30, 6:02 am, Neil Cauldwell <rails-mailing-l...@andreas-s.net>
wrote:
> I'm trying to get my head round offering up an API for a RESTful app; is
> it just a matter of;
>
> 1. adding an api_key column to the resource on which incoming requests
> will made (the app has a User model but I think the API authentication
> will need to be done on the Site model to which Users belong),
>
> 2. generating the API key using Digest::SHA1 or similar (the last dev
> used SHA1 for the passwords),
>
> 3. authenticating via API keys in a filter (perhaps something along the
> lines of option 2 herehttp://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_...).

Neil Cauldwell

unread,
May 31, 2009, 1:27:24 PM5/31/09
to rubyonra...@googlegroups.com
Matt Jones wrote:
> If your site is like most, API keys are handed out to users. So it
> would probably be best to just store the key on the user model, and
> then do a User.find_by_api_key(..etc...) in your before_filter.
>
> --Matt Jones
>
>
> On May 30, 6:02�am, Neil Cauldwell <rails-mailing-l...@andreas-s.net>

Thanks Matt

I was coming to the conclusion that all apps are authorizing API keys
per user, rather than per business or account, as I was thinking of
doing in this instance.

The main reason for the original line of thought is that this
application charges for usage per 'Site' (it's a bit like you might
expect a 'Business' or 'Account' model to work) and I've been reading
that the main reason for API keys is that can be used to monitor usage -
and if I'm monitoring usage, I'm probably going to do it on a per-Site
model basis.

Here's a tutorial on how to add the API keys to restful-authentication,
in case any fellow new newbies stumble across this thread;
http://www.compulsivoco.com/2009/05/rails-api-authentication-using-restful-authentication/

Reply all
Reply to author
Forward
0 new messages