Hi Krishnakant,
I don't know if this is the best way, but it works pretty well for me:
* When my webapp POST user and password to /api/login, if it's valid, it
returns a token_auth in reply. This token is persisted in the server
(redis in my case) as key for user data (as department_id, tenant_id, name,
role, etc)
POST: /api/login -> {"username": "myusername", "password": "yourpassword"}
REPLY:
{
"login": "myusername",
"token": "b89a187ac94e4728a47cfe1baf2a68f4"
}
When I recive the token, I store it in my webapp in a cookie or local
storage.
* Then, you must send this token in every request, you can send it in two
ways:
- In header, using Auth-Token. (I use Restangular and it's easy to
configure defaults headers)
- In the url, using auth-token for example:
www.mydomain.com/api/items?order_by=price&auth-token=b89a187ac94e4728a47cfe1baf2a68f4
That's all.
Make sure you use HTTPS!
Best regards,
Luis Aguirre
2016-01-03 7:21 GMT-03:00 Krishnakant <[email protected]>:
> Dear all,
> I wish to know what are the best practices in RESTful api when managing
> user authentication and other persistent data?
> I understand as a newbie that REST = totally stateless = no session
> persistance on server.
> So how do I do the authentication?
> I feel that on first time login the user id must be sent back in the
> response and then onb every request the id should be passed.
> So before doing any activity related to CRUD, the server must check if a
> user with that id exists and if he is an admin or a normal user (as is
> required in my case).
> Is that Correct?
> if so then can I do this with more than one parameter?
> I also need the orc code for the given organization, as the service may be
> used by many organizations who share a common database.
> Happy hacking.
> Krishnakant.
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/pylons-discuss.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
