This may be a stupid question, but how can one write a secure RESTful API? If I want to ensure that the client is a valid user, would it be unwise to send a post request with the following object?
{
"user": "some_user",
"password": "some_password"
"field1": "some_data",
"field2": "some_more_data"
}
I currently hesitate to do something like that. Doesn't that reveal the username and password in plain text to everyone on the network and everything between the client and the server? Should I use SSL or something similar? Are there any RESTful security readings you have found valuable?
Thanks for the help.
For a RESTful API is not recommended to pass the credentials in the JSON body in every request, instead you use the headers to authenticate each call. For further options on how to secure your API you can check this blog, full disclosure I work for that company, but since it's what we do, I think is a good resource.
Related
I'm migrating from Firebase where this was rather simple to do.
I'm building a custom api because the environment I need to build in will not let me use any official sdk's or anything, so this solely has to be done via rest type actions.
I essentially want to just post the username/password to aws cognito, and recieve an auth token that I can then append to the headers of future requests (to other api calls)
After hunting for quite a bit, almost all help has postman connecting to Amazon's login UI etc, and I cannot do that. It must completely handle the login process "behind the scenes" and not prompt the user with Amazon's own UI.
So, assuming this is possible:
What headers do I need (content-type etc)
How do I format the body json (or is it using something else?)
I assume I'd send it as "raw" body.
This is as far as I got so far and I'm scratching my head:
Url: https://[DOMAIN].auth.us-east-1.amazoncognito.com/oauth2/token
Body Json:
{
"ClientId": "1234etc",
"Password": "Password1_",
"UserAttributes": [
{
"Name": "email",
"Value": "test#test.com"
}
],
"Username": "test#test.com"
}
No idea if this is even the right format for the JSON I just scalped it from other posts.
I'm setting up some authentication methods in my elasticsearch endpoint in AWS. So, I'm trying to make HTTP requests to this endpoint parsing inside this body the IAM credentials but I have no idea how I can do it.
Maybe adding a field in the content body or header before the query or something like.
{
"IAM-ARN":"SOMERANDOMID",
"IAM-PASS":"SOMERANDOMPASS"
}
I would be so thankful for finding this solution.
Thank you!
You can access using IAM credentials by signing the requests as if you were making a call to AWS api.
Here's an exapmple:
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#ConstructingTheAuthenticationHeader
Or you could just use an sdk. What language are you using?
I am trying to use the plivo.com api with Filemaker to send SMS with my database.
I am using "insert from URL" to POST to the api, like below:
(ACCOUNTID, FROMNUMBER, and TONUMBER has been switched out)
httpspost://api.plivo.com/v1/Account/ACCOUNTID/Message/{"src":"FROMNUMBER", "dst":"TONUMBER", "text":"Testing text"}
The plivo site said something about using JSON for receiving, I had tested with other Filemaker solutions (FmSms) and confirm the functionality is working, so it has to be my post query is in the wrong format.
Would be great if someone of experience can give me some pointer in solving this issue.
Linkage to Plivo's documentation regarding messaging
Thanks in advance
Sunny
This will not work with FileMaker alone. The webservice accepts content-type application/json, FileMaker can send x-www-form-urlencoded only.
It may be possible to use a web viewer with some javascript to handle the request and return data back to FileMaker. See the blog post here: http://www.soliantconsulting.com/blog/2014/11/filemaker-and-javascript-ajax-post
Also, the free base elements plugin will allow you to set custom headers and should also work.
I'm adding a new REST service to our API, and wanted to canvas a few opinions on the best REST API. The service is used to retrieve the user's email address in case they have forgotten what their username is. The service requires three parameters:
Account number (this is a number that is on their printed statement)
Surname
Date of birth
If we find a match for these three pieces of info, the service returns JSON contained a masked version of the user's registered email address (eg. jo******#gmail.com) so that the UI can present a message something like "We are going to send your username to j******#g******.com. Is that OK?"
Note that the service doesn't actually change anything within their account or send an email (it is purely fetching info so that the user can confirm the next step), so it seems to me that a GET request is the way to go. The question is how to represent it? It strikes me that /users is a reasonable place to start(?), but then what? Using the URL path, I might end up with something like:
/users/accountEmail/accountNumber/123456/surname/Smith/dateOfBirth/25-12-1970
This seems icky as, ordinarily, our /users URLs contain the username (eg. /users/john/transactions), but clearly for this API call we don't actually know who the user is yet. I'm also not sure it really indicates what the service actually does. Alternatively, I could use URL query params:
/users/accountEmail?accountNumber=123456&surname=Smith&dateOfBirth=25-12-1970
This feels a bit more natural, but I'm unsure that stringing all those input parameters into the URL is a good idea. Then again, maybe /users is the wrong noun. Maybe it should be like:
/accountEmail/...
Having said all that, maybe given the service's idempotence, I could actually use a PUT request and encode the parameters into the HTTP body. Not sure about using PUT for read-only requests though... it seems a bit like heading down the RPC path. The one nice thing about the PUT approach though is that it doesn't log this relatively sensitive user input into any web server logs.
I'd be interested in opinions or hearing what other API developers did in a similar situation. Thanks.
First of all, don't use method GET with sensitive information in URL parameters or in a URL path, because that information can be stored in web server access log files, browser's history, HTTP proxy log files, etc.
Security wise you need to use method POST in this case. In regard of URL to use, I'm not that sure, probably something like /accounts and put all parameters to the request body.
Your second approach is what I would use. Logically, the URLS are build following these steps.
Collection Resource of Users
The URL
GET /users
returns a list of all users including all user properties.
[
12345: {
"surname": "Smith",
"firstname": "John",
"dateOfBirth": "1970-12-25",
"accountEmail": "john.smith#example.com"
},
6789 : {
"surname": "Hallow",
"firstname": "Jane",
"dateOfBirth": "1981-02-15",
"accountEmail": "jane.hallowh#example.com"
}
]
Sub-Collection Resource of User Emails
The URL
GET /users/accountEmail
returns al list alf all emails for all users.
[
12345: {
"accountEmail": "john.smith#example.com"
},
"accountEmail": "jane.hallowh#example.com"
}
]
Filter this Resource
The URL
GET /users/accountEmail?accountNumber=123456&surname=Smith&dateOfBirth=25-12-1970
returns a filtered list of emails for the users that match the query parameters.
[
12345: {
"accountEmail": "john.smith#example.com"
}
]
Using soap ui 4.6 ,I need to authenticate rest api using certificate and username/password and then i have to get the session id(cookie) and work with it for other operation.How can i do this? any reference?
I do this manually in order to avoid any unknown cookies and/or "magic" that the session manager might pass along. Here is my Java RestAssured example and the equivalent SoapUI request headers:
response = given().cookie("SESSIONID", "12345").cookie("ABC_123", "abcde").header("CLIENT_ID", "aaa123");
In SoapUI set these headers:
Name Value Style Level
CLIENT_ID aaa123 HEADER RESOURCE
Cookie SESSIONID=12345; ABC_123=abcde HEADER RESOURCE
i.e. you put all the cookies in correct format in single header called "Cookie". Standard http stuff, but nobody really gave this answer yet.