1

One of requirements for implementing a REST Api is that the client has to send the required state information every time to the server to handle a specific request. Assume authentication is in place and I'm successfully authenticating users to use the rest api, which means with every request i'm verifying that user has rights to access the api.

What if I have multiple users and each user has a different access right. So each user can only call a different set of webservices. I'm wondering how this is normally handled by the server. I figure the only way to do this is to check the authentication of each user(via a password hash code,etc) with each request to verify that he has access rights to the requested service. If that is correct then what are the recommended ways of handling authentication of multiple users in such a scenario?

I'm using flask to develop my api, so any specific suggestions will be much appreciated :)

Thanks in advance.

Lakmal Caldera
  • 1,001
  • 2
  • 12
  • 25

1 Answers1

1

Authenticate a user first by username and password. Return back a token or hashcode.

Prior to any action you take on the servers api, check the users permission by using the token.

You always want to check permissions on the rest api. They can all make the call to the api. Their permissions is what will determine if they can or can't do the request.

ADL
  • 2,707
  • 1
  • 16
  • 23
  • So this hash code would need to stored in a cookie at all times in the client end yes? Isn't that kind of risky? some one could steal a cookie or hijack the hashcode? There is this key called a secret key on the server, i'm not sure where it is exactly stored on the client but i believe it adds a level security against such risks. – Lakmal Caldera Mar 05 '15 at 05:28
  • If you are using a Web Service, you can use "sessions". However with REST Api's there is no sessions. You must authenticate the user somehow thus yes you can store the token on a cookie. By doing so also understand that you should also be using HTTPS. More information here: http://stackoverflow.com/questions/319530/restful-authentication – ADL Mar 05 '15 at 06:01