问题
I'm building a RESTful API for my application and I would like to make it as clean and transparent as possible.
I need to create an authentication endpoint and it makes most sense to me to build it so that users can authenticate in a following way:
GET https://example.com/
auth?identity=<username_or_email>&password=<password>
As I said, passing the user auth data using HTTP GET method in query parameters just seems very clean to me.
But I would like you to ask about how secure it actually is. Considering it will be encrypted through SSL/TLS, do you think it's a good idea to transfer user credentials like this?
回答1:
As Display Name said, both variants are basically plain text (even using base64 encoding). So you must use TLS or another protection like HMAC
But from other side, Query string is less secure in terms of how Server/Client works with URLs in general. You can read about this here or here. Briefly you should be worry about the following
- URLs are stored in web server logs
- URLs are stored in the browser history
- URLs are passed in Referrer headers
回答2:
Well I basically pass base64 string to the server. My username and password are converted in base64 and then passed in Authorization Header
Authorization : "Basic --Value"
I find this the cleanest way of passing username and password to the server.
On the other end , server had a module called passport.Passport provides different type of Authorization and Authentication like Basic,bearer,token or even your own custom.
For the above purpose i use Basic Module.
回答3:
From a security point of view it does not matter if you pass credentials as query parameters or in the Authentication headers. Both are basically plain text. So you must use TLS.
From a REST point of view, your URL looks like RPC: You call a method auth that accepts two parameters identity and password. What is the REST resource this URL represents? What happens if you make a second GET request with identical parameters? What is the response?
来源:https://stackoverflow.com/questions/36820000/passing-username-and-password-in-http-get-query-parameters