Jump to content
markus_ja

REST API Securtiy

Recommended Posts

Hello,

 

I developed my own rest server in lazarus. It's working pretty good, but now I have to implement some securty, in order to protect my REST API calls. Since the REST API design is stateless, sessions should not be used. I want to prevent, that somebody just invokes the url, to performe some actions. So only authoreized users sould be able to access the api.

 

So what is the prefered way to grant access to only authorized users?

 

 

Share this post


Link to post
Share on other sites

This is a server side issue, not a SMS problem.

 

Anyway, in order to protect your REST API calls. The authentication process is quite complex. The connection handshaking requires more than a single call to establish the security context. It will require at least 2 requests to be secure:

GET http://127.0.0.1:888/service/auth?UserName=Markus
GET http://127.0.0.1:888/service/auth?UserName=Markus&Password=3bb067a341285f9681311272a377666ed4694420adbc16e767d5884de07293b9&ClientNonce=d5b592c05dc25b5032553f1b27f4139be95e881f73db33b02b05ab20c3f9981e

The scheme will require to exchange binary data, using "params" they are encoded in strings. 

At server side should generate a single nonce and to increase security, add a salt at the beginning of a SHA-256/512 hashed expression. 
 
In order to create a new user in-memory session, first of all:

a) a SMS Client sends a GET request to the remote server, for instance,

http://127.0.0.1:888/service/auth?UserName=Markus

 
b. Server answers with an hexadecimal nonce contents (valid for about 5 minutes);
c) SMS client sends a GET request to the remote server, in which Nonce is a random value used as Client nonce, and PassWord is computed from the log-on and password entered by the User, using both Server and Client nonce as salt;
 

http://127.0.0.1:888/service/auth?UserName=Markus&Password=3bb067a341285f9681311272a377666ed4694420adbc16e767d5884de07293b9&Nonce=d5b592c05dc25b5032553f1b27f4139be95e881f73db33b02b05ab20c3f9981e

 

d) Server checks that the transmitted password is valid, i.e. that its matches the hashed password stored in its database and a time-valid Server nonce - if the value is not correct, authentication failed;
e) On success, Server will create a new in-memory session (sessions are not stored in the database, for lighter and safer process) and returns the session number and a private key to be used during the session;
SMS client will use this private key (in-memory session) for instance: A2F56B6811C
f) On any further access to the Server side, a &signature= parameter is added to the URL, and will be checked against the valid sessions in order to validate the request;
For instance, if you invoke the OrderClient service:
 

http://localhost:888/service/OrderClient.Add?signature=003d064c007646c582c494f7
http://localhost:888/service/OrderClient.Add?signature=005a064c108648c599a4a123

Share this post


Link to post
Share on other sites

Thanks for the detailed explanation!

 

I know it is not SMS related, but didn't know where to ask.

 

When should the session expire? Since the user can just close the app without logging out. So, I assume, at least I need a timer to determine when the session should be deleted.

Should the client ping the server frequently, in order to refresh the session timeout? Or should the server implement a callback to see if the client is still active?

 

What is the performance cost, if e.g. 10.000 users are logged in and for each session a timeout has to be checked frequently?

Share this post


Link to post
Share on other sites

> I know it is not SMS related, but didn't know where to ask.

 

 

Take a look at mORMot open source Delphi/Lazarus framework, it has all that (and more), and works well in combination with SMS.

 

> When should the session expire?

 

That's up to you, after x minutes of inactivity (no calls made to server, not counting keep live).

 

> So, I assume, at least I need a timer to determine when the session should be deleted.

> Or should the server implement a callback to see if the client is still active?

 

REST Server doesn't need to keep connection open/live, you should keep session information outside of connection in some sort of list of (record data for example). Add one field called last activity that gets updated each time client sends some request to server.

 

> What is the performance cost, if e.g. 10.000 users are logged in and for each session a timeout has to be checked frequently?

 

Minimal, add timer that checks it on all (even 10k) sessions on half an hour, and simply delete one's where last activity is over x minutes, also when you get new request from client check last activity as well and if it's over given timeout, send error and require a client to start a new session.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×