2

I'm using bottle to write a very simple backend API that will allow me to check up on an ongoing process remotely. I'm the only person who will ever use this service—or rather, I would very much like to be the only person to use this service. It's a very simple RESTish API that will accept GET requests on a few endpoints.

I've never really done any development for the web, and I wanted to do something as simple as is reasonable. Even this is probably an undue level of caution. Anyway, my very-very-basic idea was to use https on the server, and to authenticate with basically a hard-coded passkey. It would be stored in plaintext on the server and the client, but if anyone has access to either of those then I have a different problem.

Is there anything glaringly wrong about this approach?

cmyr
  • 2,235
  • 21
  • 30

2 Answers2

1

This SO comment answers your question

You'll need to encode login:password pair with base64, for example dGVzdDp0ZXN0 is test:test.

Community
  • 1
  • 1
Ilya Kharlamov
  • 3,698
  • 1
  • 31
  • 33
0

If you are using password authentication you need to store the password in the server so you can validate the password you send from the client is Ok.

In your particular case you will be using basic authentication, as you want the simplest. Basic authentication over HTTP/HTTPS encodes the password with base64 but that's not a protection measure. Base64 is a two way encoding, you can encode and decode a chunk of data and you need no secret to do it. The purpose of Base64 encoding is codify any kind of data, even binary data, as a string.

When you enter the password and send it over HTTPS, the HTTPS tunel avoids anyone from seeing your password.

Other problem comes if someone gets access to your server and reads the password "copy" that you are using to check if the entered password was valid. The best way to protect is hashing it. A hash is a one way codification system. This means anyone can hash a password, but you can not unhash a chunk of data to discover the password. The only way to break a hashed password is by brute force. I'll recommend using MD5 or SHA hashes.

So to make it simple. The client uses http/https basic authentication, so you'll encode your password in base64. Pass it through a header, not the URL. The server will contain a hased copy of the password either on databse or wherever you want. The backend code will recibe the http request, get the passowrd, base64 decode it and then hash it. Once hashed, you will check if its equal to the copy stored in the server.

This is it. Hope it helps!

Daniel Cerecedo
  • 6,071
  • 4
  • 38
  • 51
  • Yea this is more or less what I'm doing. I'm not worried about somebody having access to the server; if they do then this very inconsequential process being interfered with is low on my list of worries. – cmyr May 24 '13 at 15:47