Surerocks
commented
7 years ago A quick update on the status of this:
I have written the HMAC code and created a login endpoint, but it still needs testing before deploying this, (and we need to get the database set up with values to test with)
Https is easy to write the code for.... but ssl certificates are not simple apparently, so currently everything will be done over http until we figure that out.
@richardperryman If you want to start writing the code to log in with the app, just use the /login endpoint over http for now. Then on other requests, use the header 'hmac-user' with the user id, and 'hmac-content' with the hashed body of the message. A successful login will give you the key to use to hash it, we are using the same hashing algorithm that crypto_helper provides.
The AWS server does not yet have this code deployed, since it needs more testing first.
richardperryman
I originally had sent this in an email, I am putting it here since it is a better location for reference:
We will set up an Https server to do the login request securely, where we will send the username and password info in the body of a post, then I will check if it is correct on the server, then generate a key that will be stored, and sent back to the client.
This key will then be used for all other requests by the client to hash the body of the message, this hashed value will be stored in a header. There will also be a header with info about who is sending the request (user id or something).
Then when the server receives the request, it uses the user id header to get the key it needs to hash with, then hashes the body and compares that to what was sent in the header field. Then it will know the user is authenticated.
This key will expire after a given amount of time (maybe an hour or two, can be decided later).