Implement API authentication strategy

HashtagSell / posting-api

API for storage and retrieval of posting details for Hashtagsell

0 stars 0 forks source link

Implement API authentication strategy #6

Open that1guy opened 9 years ago

that1guy commented 9 years ago

Documentation mentions htsApp should pass the poster's username in the payload. i.e.

{
    "heading": "a heading for the posting",
    "body": "body of the posting",
    "expires": "2015/01/31",
    "username": "brozeph"
}

For security purposes should the posting-API validate the user's session cookie and lookup the username on server-side? OR return 'please sign in' if user is logged out?

My original posting API looked like:

exports.savePost = function(req, res){

   //Grab payload out of req.body
    var newPost = req.body;

    //Server validates user is logged in and grabs their username.  Adds to payload.
    newPost.seller_username = req.user.user_settings.name;

   //Use htsPost model and save payload to mongo
   var htsPost = new HTSpost(newPost);
    htsPost.save(function (err) {

        if (err) {
            res.send({success: false, error: err});
        } else {
            res.send({success: true});
        }
    });
}

brozeph commented 9 years ago

My thinking here was to not add any form of authentication into the API just yet. My gut tells me that our best bet is to start with a bi-directional x509 cert to secure communication between the UI and the API and have the UI manage the appropriate permissions and state for now (i.e. make the API kinda dumb for the time being).

Over time, I think we want to replace this with OAuth... but getting that up and running in the very near term will be challenging (it's not exactly hard, but could take a couple weeks to get it right).

that1guy commented 9 years ago

Understood

On Thursday, February 12, 2015, Joshua Thomas notifications@github.com wrote:

My thinking here was to not add any form of authentication into the API just yet. My gut tells me that our best bet is to start with a bi-directional x509 cert to secure communication between the UI and the API and have the UI manage the appropriate permissions and state for now (i.e. make the API kinda dumb for the time being).

Over time, I think we want to replace this with OAuth... but getting that up and running in the very near term will be challenging (it's not exactly hard, but could take a couple weeks to get it right).

— Reply to this email directly or view it on GitHub https://github.com/HashtagSell/posting-api/issues/6#issuecomment-74077342 .

that1guy commented 8 years ago

perhaps we can link into this user API after Aug 15th launch.

https://github.com/HashtagSell/user-api