API User and password in Header

Asked

Viewed 682 times

2

I made an API and would like to know if it is relatively safe to put a username and password the way I did

inserir a descrição da imagem aqui

2 answers

2

look, the ideal is you do something in the style of OAuth.

Leave a Url for authentication, this Url should expect a Body with Usuario and Senha, the return of this section should be a Token. This Token must be unique for each successful authentication, it must be linked to the User.

For security reasons, I advise that the Token be stored as a 64 byte array in the database, and it should be generated through a strong algorithm, follow an example in C# (although you have not specified a language for the BackEnd).

var token = new byte[64];
var random = RandomNumberGenerator.Create();
random.GetBytes(token);

Thus, even if you have two users logged in using the same Usuario, you will be able to distinguish the two through the Token.

And of course, what will traffic in the header is the Base64 representation of this Token.

Finally, another safety tip, use the same generation strategy as the Token for the generation of Salt when registering the password, but once, follow an example in C#.

var password = "Minha@Senha$1234"
var salt = new byte[16];
var random = RandomNumberGenerator.Create();
random.GetBytes(salt);

var pepper = salt.Sum(x => x);
var encrypted = KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, 8000 + pepper, 64);

0

It’s safe but it’s not the practice. In all API’s I know (CIELO, Google and Unlisted Images) without exception the authentication is through a key which is generated from a Guid, where it can be either sent by Header or in the request URL, but in all recommendations it is through Header.

Follow the example of CIELO that asks merchantID and merchantKey within Header only.

CIELO HEADER

  • I do not know if I could identify the difference between my example and yours, it seems to me the same thing

  • No difference, I just wanted to give an example from CIELO, answering your question is safe but using user/password is not what is used in the market. I will update the answer with some more information incidentally.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.