0

I have use RESTHeart and HTTPie to connection to my MongoDB with the next line:

http PUT 127.0.0.1:8080/myfirstdb desc='this is my first db created with restheart' -a username:password

but I think that it is not secure to use my RESTHeart username and password directly inside of the command, at all. How can I make this request securely without typing my REST username and password in command?

  • This not the "MongoDB" authentication credentials, but those that are used by your API. You might have also linked your [previous question](http://stackoverflow.com/q/31957102/5031275) for reference, as well as noted from that that since this about "RESTHeart" then you should have tagged it as such. If anything, "RESTHeart" will require it's "own" configuration to connect securely to MongoDB. But this is about "auth tokens" for RESTHeart, following up from your previous question. – Blakes Seven Aug 12 '15 at 06:53
  • @BlakesSeven okay, anyway, I think using credentials inside of the command is not secure. How can I connect to RESTHeart without these data? –  Aug 12 '15 at 06:59
  • That is why your question has been re-tagged, re-titled and the difference explained to you. You were asking in the wrong place. Hopefully now people who do look at these things might look into it also. But I would suggest reading the documentation, since the answer is surely in there. – Blakes Seven Aug 12 '15 at 07:01

2 Answers2

1

Again, quoting the RestHeart documentation:

RESTHeart uses basic authentication; usernames and passwords are sent over the net on each request. Using the http listener is not secure: users credentials can be sniffed by a man-in-the-middle attack.

http://restheart.org/docs/configuration.html

Basic Authentication (username:password) seems to be only supported mode of authentication. RestHeart recommends setting up a https listener, so your passwords can not be sniffed in plain text.

javahippie
  • 806
  • 10
  • 25
1

If you omit the password in the command, httpie will prompt of it.

http PUT 127.0.0.1:8080/myfirstdb desc='this is my first db created with restheart' -a username

If successfully authenticated, RESTHeart returns you an auth-token that you can you use as a temporary password for further calls (it has a time to live that can be set in the configuration file).

Here an example of response headers:

 Auth-Token: 6a81d622-5e24-4d9e-adc0-e3f7f2d93ac7
 Auth-Token-Location: /_authtokens/user@si.com
 Auth-Token-Valid-Until: 2015-04-16T13:28:10.749Z

so you can do (note the auth-token used as the basic authentication password):

http GET 127.0.0.1:8080/myfirstdb restheart' -a username:6a81d622-5e24-4d9e-adc0-e3f7f2d93ac7

Also note that you should use https in production environments.

For more information have a look at the security section of the RESTHeart documentation https://softinstigate.atlassian.net/wiki/x/W4CM

Andrea Di Cesare
  • 1,125
  • 6
  • 11