Authenticating users when using REST

Question

Not sure if the title of the question expresses good my problem, so I'm going to do my best to explain it here:

I'm writing a RESTful api using php and Restler. Now here comes the problem:

• There are some services that I'd like to protect, that is, know if the user requesting that service has enough privileges.

• All the services that I'm implementing have to be consumed using javascript, so the traditional method user/password won't work beacause everyone will see that!

• I'd also like to limit the amount of requests an anonymous user can do, like twitter does with the search service.

What can I do to expose my api to everyone, but only let users with priveleges complete their requests?

I stumble with this post: REST authentication and exposing the API key but at the end, no solution was provided.

I'm very open to any alternative: like OAuth. I would like to use something that integrates well with restler though, but if that is not the possible, then its ok.

I've seen a lot of info, saying that an api key would do the work, but since I'm using javascript, how can I protect those keys from being used by other users?

Answer 1

---

Update: Restler 3 is released with hybrid access support using @access hybrid comment and is available here!

---

Just in time with the right question :)

Your question has two parts

1. How do I do hybrid access (both public and protected access) with Restler

Restler 2 does not support hybrid access, but Restler 3, which will be released in August 2012 (this week) will support hybrid access, exactly built for your use case

You can follow the development at twitter and/or facebook

2. How can I protect my API when the primary consumer is JavaScript

For simplicity you may use HTTPS with Basic Authentication or HTTP with Digest Authentication

Another alternative is described in this article. It is not written specifically for Restler but it is easy to adapt to Restler. Let us know if you need help on that