Guys,
I am opening up a bunch of RESTful API, mostly GET at the moment, not modifying anything in the database.
I am planning to use this in our own mobile app, also to one of two trusted developers in the android applications they make.
I would like to know what's the possible & easiest way to secure the API to only the applications I authorize.
What's the best way to do that? I am using Rails 3.2
Related
I want to create web app in Nextjs and in the future mobile app in React Native. But I am confused what api to use. Do you think that the Nextjs api can handle both web and mobile apps? Is this possible and is it good idea at all? Should I use PHP backend for that? Thank you very much.
With the assumption that you are talking about API Routes :
I would ask you that you think through the scale of your web and app. If this is a simple web/app that you do not expect to grow much - The NextJS API which is similar to standing up an nodejs express server is not a bad option.
Remember a few considerations when designing this API
You may have to distinguish the request origin (web/app)
CORS may have to be customized - Next exposes this
You could set an app specific route to ensure isolation or use headers to distinguish behavior if your application bifurcates in the future.
These concerns are shared even if you made a PHP, ExpresJS or any other API middleware.
Once you are past all this, i would ask you to consider
Using a GraphQL server like Apollo that works nicely with Next and is custom built for this purpose..
Evaluating API Gateways for security and scale.
You don't use any external tools at all.
Next JS has serverless model. So, you don't need to mess with BE.
You can create a number of API routes you want. in /pages/api folder. You can even split like /pages/api/desktop and
/pages/api/mobile folders.
You connect your database (MongDB, sql etc) via /middleware/your_file.js. Here is example for MongoDB
If you like, you can even add some security (ex: Auth0, next-auth
etc) to secure your API routes created in /pages/api folder. Example for Auth0
After, you can access you data througth API calls. Very good!
I want to build an instant chat app with flutter without any third party services.
I've been working in a simple app using a restful laravel api for login, multiple methods and logout, using token authentication for each request. However, I find that architecture not suitable for a modern instant chat. I discovered WebSockets, which sound great, but can't yet grasp how I could subscribe to and consume one from flutter. I´ve read about web channels, but I'm not sure how they handle authentication for users. Is it possible to handshake and establish a session from my app? If so, how?
Or, can it be done totally restful? How could I post messages and listen other user's messages in that case?
Besides the chat functionality, is it recommended to work restfully? Or is flutter able to mantain a solid, authenticated session? I'm kinda new in flutter.
I appreciate any info, link or recommendation. Please, refrain if you were going to mention firebase, I want to build my own backend. Thanks!!
You should check out MQTT, an IOT protocol which is currently used for chat applications very widely.
To know about MQTT, see this.
But first I will recommend you to understand Pub-Sub(Publisher-Subscriber) Model, if you understand it then that's great.
For pub-sub model, see this.
Or, can it be done totally restful? How could I post messages and listen other user's messages in that case?
Yes, it can be done totally restful but honestly it's not recommended. You should do it with websockets.
Besides the chat functionality, is it recommended to work restfully? Or is flutter able to maintain a solid, authenticated session? I'm kinda new in flutter.
Depends on your architectural choice. There are many good options on which architecture you want to choose. Apart from restful there is GraphQL also, if you are comfortable with it. Apart from chat functionality mostly you will see people using RESTful but people who know GraphQL, might also use that instead of RESTful.
I'm architecting a public web API for my service. It will be equally consumed by web pages and native mobile apps (iOS, Android and Windows 8).
Should I use cookie-based authentication? I mean, is this the best practice for this scenario?
Futher Info:
After a little research in the authentication/authorization/openId-connect field i realized that most of everything is handled by the browser, by that i mean, the redirects, coockie insertion and related "boiler-plate" stuff... when i think about all that boiler-plate that i will have to duplicate in my natives apps, i wonder if that model is the best for mobile apps. i mean, maybe theres another more mobile-native-friendly way...
Ps: i know that this is a little generic still, it's just that i'm a begginer in the field of security and i dont know how to properly express my doubts/concerns/"laziness" still...
The API itself should really be stateless, and not manage any sessions. Each request to an API should be made with the authentication details (e.g. OAuth token).
If the Web pages and mobile applications need to maintain some kind of session, then it should be up to them as clients of the service to maintain that state. For instance, a Web page might set a session cookie for the user, but a native mobile app might want a completely different approach.
See also: If REST applications are supposed to be stateless, how do you manage sessions?
I have built a cakephp site with RESTFul calls. Happy to say these calls work when using curl from another php site. (This is all testing at the moment)
The next stage is setting up authorization, from my understand I'd be looking at either basic or digest loging to make RESTful calls.
I'd like to build a phonegap app, that requires login. Would RESTful calls to CakePHP be the way to go. i.e making a RESTful API for my site?
I'd like to provide an API key. How would this key be secured in a phonegap app?
How secure is phonegap in general? If the files for an app are css, html, js can't the app be broken into and the files revealed
Just looking for general advice and a direction to continue researching.
I believe what you need would be a stateless authentication system. CakePHP comes with 2 built in. Take a look at this example
I'm building a web application using GMails IMAP API. What would be the best way for me to make the updates "real-time"?
As of right now I'm using a Ruby Sinatra backend and backbone.js on the frontend. I'm looking for a way to make the communication between my frontend, my server, and the gmail api to be as fast and seamless as possible.
Thanks for the help
Edit: what I mean is what is the best way to make it seem real time. I realize gmail does not support web sockets. But what would be a good way of setting up my server and front end to make the data transaction as frictionless as possible.
I do not think this is possible. HTTP does not work this way. You would need WebSocket for this, but Gmail API does not support WebSocket.
You can either update info often (but you will run into google api request number limits).
Or update info when user needs it (that needs careful planning).