1. 技术文章
  2. How to send password to REST service securely?

How to send password to REST service securely?

懵懂的女人 提交于 2019-12-20 20:20:09

问题


I am using Flask-Restful to build a REST service. The iOS device will then connect to this REST backend to sync the local data.

The service will be accessed over a https connection.

The REST service is stateless and the user has to authenticate upon each request. Hence the username and password will be sent in clear format to the REST service. The backend will hash the password and check against the existing hashed password in the database.

api.add_resource(Records, '/rest/records/<string:email>/<string:password>/<string:ios_sync_timestamp>')

Now one problem I see with this approach is that the username and password are in clear format as part of the GET url. The server log will obviously track this. Now if my backend was ever hacked into, the log files would compromise all the usernames and passwords.

What is the best solution to this? I was thinking maybe sending username and password as POST arguments, but how do I that with GET requests then?

class Records(Resource):
    def get(self, email, password, ios_sync_timestamp):
        pass
    def post(self, email, password, ios_sync_timestamp):
        pass

回答1:


To authenticate each requests with a username and password like you want, you should use: Basic Authentication.

To use it, it's pretty simple and it works with all HTTP methods (GET, POST, ...). You just need to add an HTTP header into the request:

Authorization: Basic <...>

The <...> part is the username:password encoded in base64.

For example, if your login is foo and your password is bar. The HTTP header should have this line:

`Authorization: Basic Zm9vOmJhcg==`

Through your HTTPS connection, it's secure.

EDIT: Using Flask, you can use Flask HTTP auth to achieve this "automatically".




回答2:


Another solution instead of the Basic Auth in each call as suggested by Sandro Munda is to generate an API Key using a POST to first check credentials request and then passing it in the request headers. Then you can verify it in each API handler for a strict-grained checking or application-wide using a @before_request handler.

Workflow

  • Client sends a POST to the server with the credentials (username/pass)
  • Server replies with an API Key. Like an hexdigest of something secret.

from now on

  • Each time the client needs to send an API request it adds an header (let's call it X-API-Key with the API Key.


来源:https://stackoverflow.com/questions/19514538/how-to-send-password-to-rest-service-securely

标签
python
rest
Flask
flask-restful
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!