Web Service question, part 2

[jking]

Hi Bruce,

          Two years ago I posted about creating a web service, and decided to add the web service (API) to an existing NT app.  This has worked very well.  I store user credentials in a tps file with the password stored as a salted hash.  Authentication is done with code in the WebHandler Authenticate method.  Users can log into the NT app and use the API, all with the same login and password.

          I have a user who now wants to create their own program using R-Code, to send data to the NT App via the API.  Here is a sample of their R-code:

          response <- POST(url=paste0(host,path),
                 accept("application/json"),
                 content_type("application/json"),
                 authenticate(user,passwd),
                 #add_headers(Authorization=paste0("Basic ",auth)),
                 body=request)


          Using their username and password, they successfully add data to the NT app.  There won't be any user interface involved, just their R-Code running from another app they created, to send data to my NT App via the included API (Web Service).  However, the user has a concern about "hardcoding" their username and password into the R-code they created.  I have the following questions:

1.  Is this a valid concern, coding the username and password in their R-code?

2.  Is this technique, using a username and password to access a web service/API, the preferred way?

3.  I use another unrelated API, where I send a key/code to the API.  It does not involve a username and password.  I'm not sure how or if this can be done with a NT API/Web Service.  Can this be done in NT?  If it can, is it a better way to authenticate?

Thanks,

Jeff King

[DonRidley]

Hello Jeff,

1.  Is this a valid concern, coding the username and password in their R-code?

No more so than coding it into any other language or platform.  There are numerous ways to obfuscate authentication data.  Just take the normal precautions.

2.  Is this technique, using a username and password to access a web service/API, the preferred way?

It looks like he's using Basic Authentication.  This is commonly used.  The credentials can be Base 64 encoded.  Also, if the login is requested against a secure connection (HTTPS), the traffic is encrypted and less susceptible to attack.  I don't think there's a valid excuse for running a non-secure server nowadays anyway.

3.  I use another unrelated API, where I send a key/code to the API.  It does not involve a username and password.  I'm not sure how or if this can be done with a NT API/Web Service.  Can this be done in NT?  If it can, is it a better way to authenticate?

NetTalk supports several flavors of authentication. Basic, Digest, OAuth, etc. It just comes down to which one works for you.

In short, I wouldn't worry about the R-Code issue personally.

[jking]

Don,

     Thanks for the response.  I tend to agree with everything you have said.  I just want to be able to assure the user.

Thanks again,

Jeff

[jking]

Don,

     Your comment about Base64 encoding got me thinking.  The outside API I use has me send a long string, a key/code, instead of using a username and password.  I did a Base64 decoding of this and it is in fact a username and password!  So they receive this and decode it to allow me to log in.  I thought they were using something different, but nope, doing things just like we do with NT.
     As an aside, I guess I could tell my user to Base64 encode his username and password in his R-Code and we will decode it on our side.  But this is really not that much more secure as anyone can do a Base64 decoding of it.

Thanks!

[Bruce]

Hi Jeff,

embedding users and passwords in code is not ideal, because then you need to start worrying about who can see that code.
Like for example if this code is committed into source control, especially public source control, then it would be an issue.
But for compiled programs, with minimal or no distribution of source code it's ok.

Base64 encoding the user name or password serves no purpose. The value will already be base64 encoded by the Authenticate command.
Obviously you can only use Basic Authentication against an HTTPS, not HTTP server, as the password and username are in plaintext in the header.

>> 2.  Is this technique, using a username and password to access a web service/API, the preferred way?

it's not preferred more or less than anything else. It's a perfectly good way, and commonly used. It's completely supported by NetTalk. There are other ways to do Auth, this is just one, and a perfectly good one (as long as HTTPS is in play).

>> I use another unrelated API, where I send a key/code to the API. 

key / code == user/password - same thing, different names.

>> I'm not sure how or if this can be done with a NT API/Web Service.

authentication can be passed to the server any number of ways. Whichever way you prefer you can do.

Cheers
Bruce