0

I am building an API following RESTful principles as much as possible. The request in discussion is to allow a user to check his/her credits available in a system. At the point of request, the system verifies the user by comparing the provided username and password already in the system. Please note that changing the authentication method (to OAuth or the like) is not an option at the moment.

As this is a "Read" request, GET method is used. So, I would have the following:

GET http://mydomain.com/credit?username=XYZ&password=123

By following the RESTful principle and using the verb properly I fear that the username and password is easily readable / accessible. In a non-API scenario I would have just used a normal form POST with SSL...

Am I wrong to assume the risk mentioned above?

kenanng
  • 13
  • 1
  • 5
  • After reading through the answers and the articles and mechanisms suggested, I believe that using SSL will be the best approach. It is important to understand that, while holding to REST principle, I should not take it to the extreme to the point it becomes dogmatic. – kenanng Jan 12 '14 at 16:18

2 Answers2

2

You are quite correct that exposing the username and password in plain text in the query string is a bad idea. Like worse than the last three Star Wars movies.

You should be fine though if the same request is made over SSL (assuming a trusted certificate).

REST also has a host of other mechanisms for security like the DOSETA specifications for digital signatures, JSON Web Signature and Encryption, and so on. But you seemed to hint those kinds of things aren't an option.

Vidya
  • 29,932
  • 7
  • 42
  • 70
  • Thanks for the confirmation. It does gives me the goosebumps coding usernames and passwords in our client's application especially when they are not savvy. In fact I'm trying to work around the current authentication method to see if it is possible to implement your suggested mechanisms above. Would App ID and App Key pairs be practical? – kenanng Jan 12 '14 at 09:56
  • 1
    REST doesn't specify any kind of security mechanisms. HTTP however does allow you to specify authorization information in the `authorization` header. – Darrel Miller Jan 12 '14 at 13:28
1

The Http Authentication header is designed to store information such as username and password. You should use that.

Darrel Miller
  • 139,164
  • 32
  • 194
  • 243