We’re exposing an API that partners can only use on domains that they have registered with us. Its content is partly public (but preferably only to be shown on the domains we know), but is mostly private to our users. So: To determine what is shown, our user must be logged in with us, but … Read more
It depends on your needs. Do you need: Identity – who claims to be making an API request? Authentication – are they really who they say they are? Authorization – are they allowed to do what they are trying to do? or all three? If you just need to identify the caller to keep track … Read more
Follow the example to avoid the out-of-order middleware hell that express makes it so easy to enter. Straight from the docs. Note how yours does not match this exactly. var app = express(); app.use(require(‘serve-static’)(__dirname + ‘/../../public’)); app.use(require(‘cookie-parser’)()); app.use(require(‘body-parser’).urlencoded({ extended: true })); app.use(require(‘express-session’)({ secret: ‘keyboard cat’, resave: true, saveUninitialized: true })); app.use(passport.initialize()); app.use(passport.session()); Docs cookieParser session … Read more
After reading your question, I would say, generate special token to do request required. This token will live in specific time (lets say in one day). Here is an example from to generate authentication token: (day * 10) + (month * 100) + (year (last 2 digits) * 1000) for example: 3 June 2011 (3 … Read more
Disadvantages: You need to learn how to set up GraphQL. The ecosystem is still rapidly evolving so you have to keep up. You need to send the queries from the client, you can just send strings but if you want more comfort and caching you’ll use a client library -> extra code in your client … Read more
It is good practice to have mobile clients periodically renew their authentication token. This of course is up to the server to enforce. The default TokenAuthentication class does not support this, however you can extend it to achieve this functionality. For example: from rest_framework.authentication import TokenAuthentication, get_authorization_header from rest_framework.exceptions import AuthenticationFailed class ExpiringTokenAuthentication(TokenAuthentication): def authenticate_credentials(self, … Read more
I like the XSRF Double Submit Cookies method which mentioned in the article that @pkid169 said, but there is one thing that article doesn’t tell you. You are still not protected against XSS because what the attacker can do is inject script that reads your CSRF cookie (which is not HttpOnly) and then make a … Read more
If you are strictly using the HTTP authentication framework provided by RFC 7235 for your REST API, the correct HTTP code would actually be 401. From the RFC: The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a … Read more
Try this one to push basic authentication at url: curl -i http://username:password@dev.myapp.com/api/users -H “Authorization: Bearer mytoken123” ^^^^^^^^^^^^^^^^^^ If above one doesn’t work, then you have nothing to do with it. So try the following alternates. You can pass the token under another name. Because you are handling the authorization from your Application. So you can … Read more
First of all, REST is not a religion and should not be approached as such. While there are advantages to RESTful services, you should only follow the tenets of REST as far as they make sense for your application. That said, authentication and client side state do not violate REST principles. While REST requires that … Read more