

Ask HN: REST and Authentication - Davertron

So there's been something I've been wondering about for a little while now with respect to REST and authentication.  First let me set up a basic scenario, and then I'll describe the problem.<p>Let's suppose that you have have a simple app that allows you to track your book collection.  So you have a books table, and you want to expose that using a RESTful web app.  My question is this: how would you restrict me to only mucking with my own collection?<p>I'm sorry if this seems really simple, but I've  never come across an example that deals with this.  If I want to expose an API to my users for my site, and I don't want them to be able to just willy-nilly muck around with all of the data in my site, how do I deal with this?
======
mbrubeck
The Amazon Web Services (AWS) authentication system is a good example. It uses
an HMAC sent in the request headers, so that each request is effectively
signed by the sender:

[http://docs.amazonwebservices.com/AWSSimpleQueueService/2006...](http://docs.amazonwebservices.com/AWSSimpleQueueService/2006-04-01/RequestAuthenticationArticle.html)

This allows authentication without any sort of server-side session state,
since each request can be authenticated individually. So it can be more
horizontally scalable than a stateful session, but it may also be more CPU-
intensive on both server and client, since they need to compute a
cryptographic hash for every request. Also, the lack of a widely-reviewed
standard library for HTTP+HMAC authentication means that you might end up
rolling your own, which would probably have security holes that you don't
catch, like all the recent timing attack vulnerabilities:
<http://news.ycombinator.com/item?id=760917>

------
ErrantX
I would suggest simple using the HTTP basic auth.

<http://en.wikipedia.org/wiki/Basic_access_authentication>

Simple but effective. One example of such a usage is mercurial: which uses
HTTP basic auth for remote pushes to your web-based repository :) As that is a
similar sort of thing it sounds ideal.

~~~
mbrubeck
Agreed. HTTP Basic doesn't do everything, but at least the limitations are
well known and the implementations are well understood. Combine it with SSL
and you have reasonably secure request authentication.

