REST API protect

[kepler]

Hi,

 

I've created a REST API to provide several services to the users. Each one has an username, password and a api key, which is secret - it can only be decrypted by me.

 

My problem is that one of the apps is for the user load a webpage and retrieve info from its calculations (whic calls a api script).

 

For now the system I'm using is this:

 

1) First, the user must write the current time to a file in his domain.

2) The user sends to the api the current url (that must match my database ip info) along with a value equal to the api key + time

3) In my side, I fetch the file that must reside in the url he sent - which must match the domain ip registered by him - and the difference in time can't be more than 5 seconds.

4) I generate a session token which includes his api key plus time (encrypted) again and send it to him.

5) The request page is loaded with the api key and session token as hidden fields that when runned must match again the info I have.

 

Can someone please advise on the refinement of this logic? Do I maintain the token for 5,10, or 30 minutes? Or do I change it in every request?

 

Kind regards

 

Kepler

[requinix]

That's not a good scheme. Protip: do not invent cryptography on your own. Neither you nor anybody on this site has the knowledge to do it right.

 

What is the API for and how is it supposed to be used, not including the authentication bits?

[gizmola]

Rather than attempting to roll your own rather convoluted system, I would suggest you take a look at the JSON Web Tokens standard.  I believe it solves the problems you are concerned about.  I don't know who your end users are, but expecting them to do anything other than simple and standard configuration in order to utilize your API is a pretty sure way to insure that they won't want to bother.

 

Start here:  https://jwt.io/