1

I've got an endpoint for HTTP GET at api/token which requires a username and password, since HTTP GET can't include a JSON body I don't know how a password should be sent. Also once I get the token, how should it be included in API calls? Just another field in JSON or in the header?

coffee.isGood
  • 141
  • 1
  • 4
  • 11
  • you may find this interesting: https://stackoverflow.com/questions/1582894/how-to-send-password-securely-over-http, also you can open the browser console and see how each site sends creedentials to the server (for example you may inspect stackoverflow login and discover that the password is beign send hashed from the client) – Victor Jun 28 '20 at 13:02

4 Answers4

1

You shoud leverage the header Authorization which is the common way to provide credentials within a call to a RESTful service.

This link could give you more hints on this: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

Hope it helps you, Thierry

Thierry Templier
  • 198,364
  • 44
  • 396
  • 360
1

I suggest to use JSON Web Tokens which could be used in a URL, POST parameter, or an HTTP header.

A good article about JWT is this.

Ferrmolina
  • 2,737
  • 2
  • 30
  • 46
ADIMO
  • 1,107
  • 12
  • 24
  • although jwt token are good working solution for handling authenticated clients; it is not a solution for what the OP is asking for (how to send creedentials from client to server) – Victor Jun 28 '20 at 12:54
0

the endpoint api/token should be and HTTP/POST so you can send the username and password in the body.

Then, once you've got the token, it should be sent in every other request using an Authorization Header.

cuttlas
  • 971
  • 5
  • 17
0

There's no true practise but only common practice.

  • If possible, switch your route from GET to POST and send your password in the HTTP Body. If not possible, you'll need to append parameters to the URL.
  • Once you retrieve an auth token, add a header to each authenticated request with your token as value (eg. "MyCompany-Auth": "0123456789").

Another good practice is also to use SSL (TLS) over your API calls. You can use a self-signed certificate if you don't want to pay too much.

Ferrmolina
  • 2,737
  • 2
  • 30
  • 46
sweepy_
  • 1,333
  • 1
  • 9
  • 28
  • 2
    There is the standard `Authorization` header. So he can use `Authorization: bearer 0123456789`. – Fred Apr 28 '17 at 13:06