Hello there, I run a website that is written in Rails that uses the standard authentication mechanisms, where you provide your user and password and that gets challenged against an encrypted value. Now I am about to expose some of the features via API, and I am thinking about running a separate API server that would be a Sinatra app. However, sending the user id and password over the internet doesn't seem very secure, even though we'll be using HTTPS on the server. One way of authentication that I always liked is the way, for instance, GitHub handles pushes to their servers. When you give them your public SSH RSA key, makes this machine authorized to interact as you with their server. Would it be possible to have something similar for this API, even using HTTPS? What kind of approaches to this problem are known patterns on the Ruby community? Any guidance, in terms of Gems, Articles and such would be nice. Thanks in advance, this forum/list has *always* been very insightful. Best regards, -- Felipe.
on 2009-03-30 03:39
on 2009-03-30 05:18
On Mar 29, 6:39 pm, Felipe C. <firstname.lastname@example.org> wrote: > One way of authentication that I always liked is the way, for instance, > GitHub handles pushes to their servers. When you give them your public > SSH RSA key, makes this machine authorized to interact as you with their > server. GitHub uses gitosis, which is a Python application built on top of SSH. There is a "git" user and the git commands are run as that user, so the shortest path, to mimic gitosis, would involve building on top of SSH not HTTPS. You should read the gitosis code. http://eagain.net/gitweb/?p=gitosis.git;a=summary Alan G. - email@example.com - http://blogometer.com