Generating and authenticating by API keys


#1

I’m trying to get my head round offering up an API for a RESTful app; is
it just a matter of;

  1. adding an api_key column to the resource on which incoming requests
    will made (the app has a User model but I think the API authentication
    will need to be done on the Site model to which Users belong),

  2. generating the API key using Digest::SHA1 or similar (the last dev
    used SHA1 for the passwords),

  3. authenticating via API keys in a filter (perhaps something along the
    lines of option 2 here
    http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/).

Unfortunately, the authentication lib is custom (I would much prefer to
be working with one of the community adopted plugins such as Authlogic,
which appears to have API key authentication anyway).

Am I missing anything or does that sound like a reasonable starting
point?


#2

If your site is like most, API keys are handed out to users. So it
would probably be best to just store the key on the user model, and
then do a User.find_by_api_key(…etc…) in your before_filter.

–Matt J.

On May 30, 6:02 am, Neil C. removed_email_address@domain.invalid


#3

Matt J. wrote:

If your site is like most, API keys are handed out to users. So it
would probably be best to just store the key on the user model, and
then do a User.find_by_api_key(…etc…) in your before_filter.

–Matt J.

On May 30, 6:02�am, Neil C. removed_email_address@domain.invalid

Thanks Matt

I was coming to the conclusion that all apps are authorizing API keys
per user, rather than per business or account, as I was thinking of
doing in this instance.

The main reason for the original line of thought is that this
application charges for usage per ‘Site’ (it’s a bit like you might
expect a ‘Business’ or ‘Account’ model to work) and I’ve been reading
that the main reason for API keys is that can be used to monitor usage -
and if I’m monitoring usage, I’m probably going to do it on a per-Site
model basis.

Here’s a tutorial on how to add the API keys to restful-authentication,
in case any fellow new newbies stumble across this thread;
http://www.compulsivoco.com/2009/05/rails-api-authentication-using-restful-authentication/