Exposing an API over HTTPS


#1

Hello there,

I run a website that is written in Rails that uses the standard
authentication mechanisms, where you provide your user and password and
that gets challenged against an encrypted value.

Now I am about to expose some of the features via API, and I am thinking
about running a separate API server that would be a Sinatra app.

However, sending the user id and password over the internet doesn’t seem
very secure, even though we’ll be using HTTPS on the server.

One way of authentication that I always liked is the way, for instance,
GitHub handles pushes to their servers. When you give them your public
SSH RSA key, makes this machine authorized to interact as you with their
server.

Would it be possible to have something similar for this API, even using
HTTPS? What kind of approaches to this problem are known patterns on the
Ruby community? Any guidance, in terms of Gems, Articles and such would
be nice.

Thanks in advance, this forum/list has always been very insightful.

Best regards,
– Felipe.


#2

On Mar 29, 6:39 pm, Felipe C. removed_email_address@domain.invalid wrote:

One way of authentication that I always liked is the way, for instance,
GitHub handles pushes to their servers. When you give them your public
SSH RSA key, makes this machine authorized to interact as you with their
server.

GitHub uses gitosis, which is a Python application built on top of
SSH. There is a “git” user and the git commands are run as that user,
so the shortest path, to mimic gitosis, would involve building on top
of SSH not HTTPS.

You should read the gitosis code.

http://eagain.net/gitweb/?p=gitosis.git;a=summary

Alan G. - removed_email_address@domain.invalid - http://blogometer.com