Eduardo D. wrote:
I’m using rails edge because trying REST.
I’m facing a problem: how to do authentication for my app’s REST API.
I’m trying not to repeat myself so I was thinking on using large tokens
and modify restful_authentication to recognize this token and require
all calls to the api to specify it. If I’m not wrong, this might cause
problems because restful_auth depends on sessions which depend on
cookies which a client that accesses the API might not support.
I want to know if someone has dealt with this problem before. Any tips
or ideas are greatly appreciated.
I haven’t liked any of the username/password authentication things that
are out there. (e.g. Basecamp API)
I’ve implemented a token-based thing like you suggest. The user has the
application create an API token (if API stuff is to be enabled). This
token is stored with the account.
I use the map.resources bit to map out the API resources with a prefix
like /api/:api_token –
map.with_options :path_prefix => “/api/:api_token” do |api|
Then maps to the “item” resource in the RESTful manner. Since URLs are
encrypted for HTTPS, this seems pretty secure to me. (i.e. the
api_token is never in the wild)
My “require_login” filters automatically check for the api_token and can
authenticate that way. If no api_token is present, authentication must
be done with the session.
If the user wants to change the api_token, they’re free to do so at any
time. Personally, I don’t like the idea of keeping a username and
password somewhere in an application that is using an API. I’d much
rather just set the token.