So how do I work authentication into an API?


#1

We’ve built a RESTful API that’s really easy to use. The question now
is how do I build in authentication? My app itself has uses
acts_as_authenticated to manage authentication when someone is using
the app. But what about when they’re using the API remotely instead?
I’m not sure how to handle that. Thanks for any info.

Pat


#2

On 1/11/07, Justin W. removed_email_address@domain.invalid wrote:

Use HTTP AUTH. Check this out for more information:
http://blogs.23.nu/c0re/stories/7409/

There’s also the restful_authentication plugin:
http://svn.techno-weenie.net/projects/plugins/restful_authentication/

I actually am using the restful_authentication plugin to handle
authentication…it’d be sweet if I could just use that without making
too many changes.

Basically the problem is that the authentication is stored in the
session (as the first link discusses). So if my client code isn’t
managing a session, I can’t use it.

Net::HTTP.start(‘localhost’, 3000) do |http|
http.post “/sessions”, “login=myusername&password=mypassword”
response = http.post “/users/7/books”, “book[title]=supercool”
puts response.body
end

That should create a new book resource, but it just redirects to the
login page. I can only assume that it’s because Net::HTTP.start
doesn’t actually handle session stuff.

One approach that I’ve seen is to have an API key and pass that in as
a parameter on requests. That seems like it’d probably be the easiest
approach. I don’t know if it’s best though.

I’d like to figure out the best way to do this, ideally just using
restful_authentication and all the user info I have right now.
Clients are going to be whatever they want to be…I just need a way
of controlling access to the resources we’re exposing.

Pat


#3

Use HTTP AUTH. Check this out for more information:
http://blogs.23.nu/c0re/stories/7409/

There’s also the restful_authentication plugin:
http://svn.techno-weenie.net/projects/plugins/restful_authentication/

Justin W.
Owner, Second Gear
http://www.secondgearllc.com/

Check out Porchlight: bug tracking for small teams
http://www.porchlightnow.com


#4

On 1/11/07, Pat M. removed_email_address@domain.invalid wrote:

I’d like to figure out the best way to do this, ideally just using
restful_authentication and all the user info I have right now.
Clients are going to be whatever they want to be…I just need a way
of controlling access to the resources we’re exposing.

Actually, it looks like it’ll be really easy with HTTP AUTH.
http://ryandaigle.com/articles/2006/12/4/whats-new-in-edge-rails-new-http-authentication-plugin-and-a-plea-to-contribute
has info on a new http auth plugin. I tried it out just now and it
seems to work great.

So the only consideration here is that every single request requires
that the username and password be included in the URL. Is that a bad
thing? Obviously a client can wrap that up, but I’d just like to know
if it’s bad for some reason to have to include auth info in each
request. One possibly downside is that either all auth info is
unencrypted from now on, or every request has to be done through SSL.

Pat