How to properly verify the existence of a user in a Restful API (Nodejs) by sending Login and Password in a GET verb?

Question

How to properly verify the existence of a user in a Restful API (Nodejs) by sending Login and Password in a GET verb?

Asked 6 years, 11 months ago

Viewed 68 times

0

Verifying a user’s existence through a Restful API would be a GET transaction given that it would only be a select.

Briefly would be sending the Login and Password this way:

const validator =require('validator');
app.get('/users/:login/:passwd',function(req,res){
    var login =  validator.trim(validator.escape(req.param('login')));
    var passwd = validator.trim(validator.escape(req.param('passwd')));
    con.query("SELECT * FROM users where login = '"+login+"' AND password='"+passwd+"' ", function (err, result) {
      if(err){
        throw err;
      }
      else{
            res.json({ result });
      }
    });        
});

My question refers to the fact that GET is sending sensitive information such as logim and password.

How we do this check without breaching Restful API best practice standards (verbs suitable for CRUD transactions) and maintaining security (Do not send sensitive info with GET)?

Leaving aside the fact that your query is vulnerable to SQL Injection, have you thought about using POST instead of GET?

– Tom Melo

2017/10/17 at 15:32
Yes I always used post. the fact is q am trying to follow the standard of restful api, where all select is a get. post is just for Insert.

– zwitterion

2017/10/17 at 23:09
What do you mean "every select is a GET"? Let’s not confuse select from database(query) with Rest patterns of http verbs, because I can have a register (POST) that needs a previous validation (select in the database). Apparently, in your example, you are doing an authentication, and authentication is already another story, we would talk about Oauth2, Basic Auth, Hmac and etc. Besides, this path '/users/:login/:passwd' is already outside the "standard" as well. Just thinking the following, does it make sense for someone to invent a "pattern" where passwords are sent in the url?

– Tom Melo

2017/10/18 at 11:00
It depends on the interpretation. According to W3C standards - see this link https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html get requests should be used to retrieve information. This is the approach used in some Restful API standards. See for example this White House API standard for official US Government documents https://github.com/WhiteHouse/api-standards . CRUD op - READ => GET => SELECT. That’s what I meant by all GET to be a select or vice versa

– zwitterion

2017/10/18 at 15:01
My question tbm does not relate to security. That’s another story. This code was used for testing.

– zwitterion

2017/10/18 at 15:02
Yes, get requests should be used to retrieve information. I think it got a little confusing to understand what you really want to do. Do you want to authenticate a user (login) or just check if a particular user exists? You will hardly find anyone talking about sending passwords in the url (GET), even because any Sniffer could capture the data even using ssl.

– Tom Melo

2017/10/18 at 15:14
Let’s go continue this discussion in chat.

– Tom Melo

2017/10/18 at 15:18

Show 2 more comments

No answers

Browser other questions tagged node.js api restful

You are not signed in. Login or sign up in order to post.