API User and password in Header

2

I made an API and would like to know if it is relatively safe to put a username and password the way I did

    
asked by anonymous 13.11.2017 / 17:57

2 answers

1

Look, the ideal thing is for you to do something like OAuth .

Leave Url for authentication, this URl should expect Body with Usuario and Senha , the return of this section should be Token . This Token must be unique for each successful authentication, it must be linked to the User.

For security reasons, I recommend that the Token be stored as a 64-byte array in the database, and it must be generated using a strong algorithm, following an example in C# (although you do not have specified language for BackEnd ).

var token = new byte[64];
var random = RandomNumberGenerator.Create();
random.GetBytes(token);

In this way, even if you have two users logged in using the same Usuario , you could distinguish the two by Token .

Of course, what will travel in the header is the Base64 representation of this Token.

Finally, another security tip, use the same Token generation strategy to generate Salt at the time of registering the password, but once, follow an example in C# .

var password = "Minha@Senha$1234"
var salt = new byte[16];
var random = RandomNumberGenerator.Create();
random.GetBytes(salt);

var pepper = salt.Sum(x => x);
var encrypted = KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, 8000 + pepper, 64);
    
13.11.2017 / 18:36
0

It's safe, but it's not practical. In all APIs I know (CIELO, Google and Unlisted Images) without exception the authentication is through a key that is generated from a

13.11.2017 / 18:06