restAPI design - authentication

By

Restful is a pattern to provide an API to manage resources on a server, providing a uniform deal to create, access and change data. In a previous post I have shown the json-sever. With that server, I made several tests and even extended its API. The json-server takes a JSON-file and provide an access through a auto-generated API.

But I never made a complete app using that server, until recently. Because every time I meet some issues that would require a lot of coding that I was not willing to spend for small side projects. But I could not get RESTapis out of my mind, so I studied studied some resources to answer all questions that are open. In this small series of posts I want to talk about some.

The first is this one, about Authentication, it is the one you are currently reading. The next will be about actual designs, means about how parameter and responses should look. It will also provide good resources with good API-definitions and actual implementations. After that, I will actually take a look of implementing a restAPI in nodejs and auto generated APIs, with additional feature: how objects will be validated, security guarantied and business rules applied.

Authentication

Often I had the question, how should I do authentication and how does resources look, that are related to the current user. Messages to me, messages from me, my photos, my results, orders, what ever. On top of that, I was asking myself how should a restful API actually look like. The JSON-Server is so simple that it is instantly fun to play with it. But quickly I reached several points, that throw questions that need to be answered but for the small side projects they are to big.

Login

First was the authentication, is making a session actually restful? My answer to that is actually yes. Many people come to different opinions, but it is not to important. The important thing is that you know how to do authentication. Typically I had some auth-module that has provided an RPC method for login and an other to get information about the current session.

For my first complete restful app, I actually provided a kind of a virtual resource. Many frameworks would name that a Controller or API-Handler. The Controller that I made received login information through a POST-request and provided the current session information to the GET and the DELETE for logout.

token + signatures

When the API is not meant to be called by a browser, working with sessions is not comfortable and when using web-APIs I never saw that. So the authentication is send on every request. Depending on the importance of that API, there was just a token. So the provider can monitor my request and limit the results and number of requests. Sometimes it is fine to just use https for encryption. But because many http implementations do not validate the certificates APIs require to add a signature to a request.

implementation

Using nodejs with express, both types of authentication can be ensured using middleware that is running before the middleware for the actual API is executed. No matter if you are using sails.js, JSON-server or an other rest-API providing framework, you can use standard middleware such as express-session, curf or express-body-parser. With your applications specific authentication middleware you only need to invest once and the authentication will be solved.

Contents
  1. 1. Authentication
    1. 1.1. Login
    2. 1.2. token + signatures
    3. 1.3. implementation