mcavoyk
commented
5 years ago Might consider having the authentication use a hash of user GUID + secret build token + current time for each request. The included timestamp would make the tokens non replayable past ~60s and valid hashes would be difficult to create without the secret build token.
Every route should be given location information, so this should be moved to middleware. The API needs to someway ensure the authentication of the client and the client's location data it is being given otherwise simple scripts could view Quirk posts from anywhere or post on Quirk from anywhere.