Is this a secure solution for RESTful authentication?
Posted
by
Chad Johnson
on Programmers
See other posts from Programmers
or by Chad Johnson
Published on 2013-10-28T18:20:21Z
Indexed on
2013/10/28
22:10 UTC
Read the original article
Hit count: 534
rest
|authentication
I need to quickly implement a RESTful authentication system for my JavaScript application to use. I think I understand how it should work, but I just want to double check. Here's what I'm thinking -- what do you guys think?
Database schema
users
- id : integer
- first_name : varchar(50)
- last_name : varchar(50)
- password : varchar(32) (MD5 hashed)
- etc.
user_authentications
- id : integer
- user_id : integer
- auth_token : varchar(32) (AES encrypted, with keys outside database)
- access_token : varchar(32) (AES encrypted, with keys outside database)
- active : boolean
Steps
The following happens over SSL. I'm using Sinatra for the API.
- JavaScript requests authentication via POST to /users/auth/token.
- The /users/auth/token API method generates an auth_token hash, creates a record in user_authentications, and returns auth_token.
- JavaScript hashes the user's password and then salts it with auth_token -- SHA(access_token + MD5(password))
- POST the user's username and hashed+salted password to /users/auth/authenticate.
- The /users/auth/authenticate API method will verify that SHA(AES.decrypt(access_token) + user.password) == what was received via POST.
- The /users/auth/authenticate will generate, AES encrypt, store, and return an access token if verification is successful; otherwise, it will return 401 Unauthorized.
- For any future requests against the API, JavaScript will include access_token, and the API will find the user account based on that.
© Programmers or respective owner