restful-authentication

I have found quite a few questions on this topic on SO, but couldn't find any answering this question: Should I validate users with their username and password, or with an API key? And what are the pros and cons of each method. I ask this because in my API, there are a couple of methods I'd like to lock down and verify that the user has access to some document or action. I'm a bit reluctant to authenticate by having the user send an HTTP AUTH header with their username and password because it feels unsecured and a bit more of a hassle for the user. On the other hand, though, if I use an API

An authentication service allows user accounts be disabled (a sort of soft-delete). If the server then receives an authentication request for a disabled user that would otherwise be valid, should the server return 401 or 403? With either status code, I would return a message indicating that the account had been disabled. For quick reference, relevant quotes from HTTP/1.1 spec (emphasis mine): 401 Unauthorized The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client

I have a nice ASP.NET 5 / MVC 6 app up and running. Essentially for this purpose it is just the normal sample app you get when you start a new project to keep it simple. So far I can: Register a user Login Logout Protect a page (forcing login etc) Now, what I would like is to provide an API mechanism for a app to login and get an authentication token. Specifically I am working on two mobile apps to test with, one using Angular / Cordova and one using Xamarin. I have looked high and low and I cannot seem to find an example yet that shows how to make this work. Every example I find so far

I thought we would do helper_method :current_user, :logged_in?, :authorized? to make these controller methods available for use as helper methods in views. But in Restful Authentication's lib/authenticated_system.rb , I see: # Inclusion hook to make #current_user and #logged_in? # available as ActionView helper methods. def self.included(base) base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method end Why is it done this way instead of that single line? Also, I don't see included being called anywhere. The self.included function is called when the

All the articles about GraphQL will tell you how wonderful it is, but are there any disadvantages or shortcomings to it? Thank you. Disadvantages: You need to learn how to set up GraphQL. The ecosystem is still rapidly evolving so you have to keep up. You need to send the queries from the client, you can just send strings but if you want more comfort and caching you'll use a client library -> extra code in your client You need to define the schema beforehand => extra work before you get results You need to have a graphql endpoint on your server => new libraries that you don't know yet Graphql

I have a rails 3.1 application that uses Devise for Authentication with a simple User model with email,password etc. I need to be able to authenticate from an iphone application. How do I expose this functionality? Broad answers are fine as I am not sure what my options are. The fastest way would be to simply enable http_authenticatable and pass the username and password through HTTP Basic Auth. While that's the easiest way, it means you have to store the users password in plaintext and send it along with every request you make. A better option is token authentication, you can pass it through

The JWT spec mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks: The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The jti claim can be used to prevent the JWT from being replayed. The jti value is a case-sensitive string. Use of this claim is

I have a Restful web service API, that is being used by different 3rd parties. Part of that API is restricted (you need username/password to access it). I was wondering what would be the best way of implementing authentication? I'm using https, so communication is encrypted. I have two ideas: Before user starts using (restricted) service, it sends username/password using POST (since https is being used credentials are encrypted). After the login is successful, server sends back random single-use value (nonce) that is matched with this username. When next request is being made, along side a