How to design a RESTful API to check for user's credentials?

2018-06-14 11:02:39

I'm designing an API for a mobile app, and I hope to keep it RESTful.
API's are authorized using Basic HTTP Auth, however, When the user open the app for the first time, he need to login first, so I need to design an API to check for user's credentials, which will accept a pair of username and password, return success or fail accordingly.
the problem is what the url should be so it is restful? I don't think /login is a good one.

A good approach is to perform a GET request for the account/profile info of the current user. and have it return the username, settings, avatar url, etc. me is a frequently used as a shorthand identifier of the authenticating user.

GET https://api.example.com/profiles/me
HTTP/1.1 200 OK
{
  "username": "bob",
  "id": "xyz",
  "created_at": 123,
  "image_url": "https://example.com/bob.png"
}

It's typically viewed as poor practice to pass sensitive data via an HTTP GET request.

Password information is sensitive data and is one of the exceptions that breaks the rule that idempotent operations should be GET requests.

Why is this an exception? Browser History and Server Logs will store GET requests. Meaning that this sensitive information is visible as plain text in both places. So if someone gets a hold of either - then that information is now in their hands.

You should use an HTTP POST request to pass this sensitive information to the RESTful API as browsers will not store them and servers will not log them. However, the first line of defense is to use Secure HTTP (HTTPS) to ensure that this information is protected from outsiders.

So pass this information in the body of an HTTP request to an HTTPS URL.

From wikipedia:

The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.

Because the server stores no session state from the client, your API shouldn't expose any login/logout capability : In each request you should send user credentials, and the server should validate them each time.

Check this discussion in SO, it claryfies this concept.

链接地址: http://www.djcxy.com/p/41140.html

上一篇: REST的无国籍原则实际上意味着什么？

下一篇: 如何设计一个RESTful API来检查用户的凭据？