2

I'm writing a RESTful API for my webservice.
When I get a request tot the server, first thing I do is checking the appKey and the appSecret.
This is not a problem with POST methods because I can add them to the request as follow:
(This method returns the user's details)

$data = array('appId'=>$appId, 
              'appSecret'=>$appSecret,
              'userId'=>$uid);
$url = "http://mydomain.com/api/user/".$uid;
$request = curl_init($url);
curl_setopt($request, CURLOPT_POSTFIELDS, $data);
$result = curl_exec($request);

My question is how can I (if it's possible) include the data (appSecret, appKey) in a GET method?

And if not, how can I use a GET method to get user's details and still check the appKey and appSecret on the server?

Thanks!

Improve this question
1
  • 1
    I wouldn't recommend placing secrets or keys in the GET string. URLs are often recorded in server logs. So placing authentication information coud lead to the information being stored with malicious intent. Try using http headers instead. Commented Jan 23, 2011 at 20:17

3 Answers 3

Reset to default
3

In a GET request, arguments are passed in the "query" section of the URL.

http://www.google.com/search?q=url+query

Arguments passed in this way must be specially encoded ("URL encoded"), because certain characters have special meaning.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Is there a way to put the arguments in the $data array?
If you're worried about the security of your data (as you should be), it's really not sufficient to put your cleartext secrets in your requests at all. If you're trying to implement access control to your service, there are dozens of existing solutions for handling this. Don't try to invent your own, because cryptographic protocols are notoriously difficult to get right, either in design or in implementation.
Can you recommend one of these access controls?
I would recommend looking into OpenID, which is supported by a lot of different platforms and libraries.
2

Why not to put them in your URL, like this:

$url = "http://mydomain.com/api/user/".$uid."?arg1=value1&arg2=value2";

Improve this answer

3 Comments

I don't want the appKey and appSecret be in the url.
Then you don't want a GET request. As Chris says above, you should use HTTP Headers.
How can I use HTTP headers with cUrl?
1

If you want to put the appKey and appSecret in the GET request's header, use:

$authorization = sprintf('Authorization: AppLogin key="%s", secret="%s"', urlencode($appKey), urlencode($appSecret));
curl_setopt($request, CURLOPT_HTTPHEADER, array($authorization));

Then on your REST server, you can then get the app key and secret from $_SERVER['HTTP_AUTHORIZATION'] via preg_match.

You can also use a basic signature method instead of passing the appSecret each time.

$nonce = sha1(mt_rand());
$signature = sha1("$appKey:$appSecret:$nonce");
$authorization = 'Authorization: AppLogin key="%s", signature="%s", nonce="%s"', urlencode($appKey), urlencode($signature), urlencode($nonce));

Then on the server, first get the values from the Authorization header, then get the secret assigned to the app based on appKey then rebuild the signature using the same method and finally compare the signature sent by the app.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.