i’ve created my web app and its API, what is a good way to secure it so that only authenticated users can use it.
i dont want to pass the username and password in the url, is there another way?
it will be used by my xojo apps and a xojo ios app as well as some third party stuff.
i’ve created my web app and its API, what is a good way to secure it so that only authenticated users can use it.
i dont want to pass the username and password in the url, is there another way?
it will be used by my xojo apps and a xojo ios app as well as some third party stuff.[/quote]
You may want to use something like this in the iOS app :
Get date.now SecondsFrom1970
Apply some encrypting to that number (does not have to be very elaborate)
EncodeBase64
Use that as path
In HandleURL,
decodeBase64 the path
decrypt
Compare with Xojo.Core.Date Date.Now SecondsFrom1970
If the result is less than a second or two, you know the path has been created by your app.
Assuming you’re using HTTPS you can POST username/password and then check it.
You could always expect POST with username/password included, but generally it’s better to generate and save a token string on API login that is passed back to the client which from then on passes the token for each request along with username or other identifier that can be checked against the saved token string on the server.
I tend to use their email address and a Hex code hash of the app name, email and maybe expiry date, etc. That way they can’t use the same Hex code of different apps from me, and they’re less likely to tell someone the code since it links to themselves.