I made an API and would like to know if it is relatively safe to put a username and password the way I did
Look, the ideal thing is for you to do something like OAuth
.
Leave Url
for authentication, this URl should expect Body
with Usuario
and Senha
, the return of this section should be Token
. This Token must be unique for each successful authentication, it must be linked to the User.
For security reasons, I recommend that the Token be stored as a 64-byte array in the database, and it must be generated using a strong algorithm, following an example in C#
(although you do not have specified language for BackEnd
).
var token = new byte[64];
var random = RandomNumberGenerator.Create();
random.GetBytes(token);
In this way, even if you have two users logged in using the same Usuario
, you could distinguish the two by Token
.
Of course, what will travel in the header is the Base64 representation of this Token.
Finally, another security tip, use the same Token
generation strategy to generate Salt
at the time of registering the password, but once, follow an example in C#
.
var password = "Minha@Senha$1234"
var salt = new byte[16];
var random = RandomNumberGenerator.Create();
random.GetBytes(salt);
var pepper = salt.Sum(x => x);
var encrypted = KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, 8000 + pepper, 64);