Open maelp opened 12 years ago
You're right, if someone will get user's token, he'll be able to post as user. I consider api tokens as a passwords, users shouldn't give it to random strangers.
Session tokens don't solve the security problem, they just add much more complexity.
Current way isn't very cool, I plan to make api.ost.io a real OAuth2 provider. So ost.io would be consumer application with token, local to app. Some imaginary application #2 would be consumer app with different token. User would be able to see token actions history and current authenticated apps in his personal cabinet. I think this would solve problems.
Cool, I'm actually trying to build a heroku framework based on a brunch, chaplin&flask stack so I'm using parts of your brunch-with-chaplin and ost.io code as an inspiration, since I want to develop a basic but secure and functional framework I'd be happy to work with you on the oauth2 implementation
sure, i'll ping you when i'll start new auth system.
I see that the only thing you need to authenticate to the server is the auth token that does not change between session? therefore, if someone gets the auth token he can steal an user's identity no?
wouldn't it be safer to use one-time session tokens that expire after a while? this would prevent 'remember session' features, however, and would possibly also prevent multiple concurrent device use (eg accessing the server at the same time using desktop and mobile), except if you create a kind of 'valid session tokens list' holding all the currently valid session tokens.
are there any best practice for API design?