nziebart
commented
9 years ago Here is my proposal for an authentication scheme:
- App passes IG token to login and register endpoints
- Server authenticates the user (via IG), then generates its own token and stores that in the database
- App passes the server-generated token on all subsequent calls
- Server uses this token to authenticate the user. The token should expire after xx period of time, at which point the app must log in again.
Let's discuss options if there is a better way. I think this way is pretty standard though, and it is flexible so we can use a password or another 3rd party later on.
Another way would be do do what we do now, but just use the IG user_id instead of the username. But, I feel like our user authentication should not be so heavily tied to IG.
It would be cleaner to move request authentication to an HTTP header. It looks like currently we have an app key and a user token, so we could define a structure for the Authorization header to pass these.
Something like:
PEARING-AUTH appKey="22040d5b16d7c84ff4022d37555519b2",userToken="ATzerjisLxBbNrYET1lR2zCh1SCDBV8t1"
The userToken would be optional for some requests, but the appKey should probably never be optional.