gpb

gpb

Architecture for client / server authentication / api-key

A friend is creating a private API Gateway / Service, written in GO.

I am creating an Elixir Client, a simple web Phoenix web-app that will allow a few users to login and consume these API services.

We want to limit access to this private API to just our Elixir client for now, in as secure a way as possible.

Our thinking so far is:

*Use an API-key to limit access to only the Elixir Client. The intent is to prevent other external client-apps from attempting to use the API (for now).

*When a user logs in successfully, the API passes back a token or starts a session.

*Onwards, we will use a token or session for authentication for this user.

My question: after a successful login, is it superfluous to continue passing the API-key? Or, is it simply necessary by design?

Most Liked

dwahyudi

dwahyudi

RESTful should be stateless.

I think you should always pass the API-key. Just make sure that it is really really secret.

Some people likes to create session on API-endpoint. I personally don’t.

OvermindDL1

OvermindDL1

If it is actually an API, cookie-less, then always pass in the API key, always. If you have cookies then use the cookie to store it instead after a login. Most API’s don’t support cookies though and always passing in the key is generally done.

For note, always passing the ‘same’ key is generally a security issue. Generally you get an initial key, pass it in on the first request of whatever you need to do, and you get a new single-use key back, and repeat with that one. That tends to be more irritating to use though so most don’t actually do that as it requires client-local storage too.

OvermindDL1

OvermindDL1

Eh the definition is fuzzy, but I generally use it in such a way that each request is entirely stateless.

I think it’s just because adding cookies complicates ‘some’ client libraries (not so much anymore, but back in the day it definitely did).

Not at all, if anything cookies are more performant. I really think it’s just because so many older http client libraries didn’t have cookie support (but as stated, nowadays that’s not really an issue anymore, so its an old holdover).

CptnKirk

CptnKirk

Why would a Cookie header value be more performant than say an Authorization header value or a request param?

You also open yourself up to many potential security holes depending on how your HTTP client is used elsewhere within the system.

This Wikipedia entry has a good rundown of the more common gotchas. I’d stick with a generated API token managed outside of a cookie myself.

OvermindDL1

OvermindDL1

A cookie would be about the same as an authorization header for that, but as a request param not as much (phoenix has to parse those out in a different way, plus you don’t want cache’rs to cache secure parameters). Passing it in via a header is fine though, via a parameter or javascript encoding or so is slower (but not enough to really matter).

As for the issues, just keep doing the same things, invalidate it on every request and issue a new one (which is much easier for the client to handle then if it’s a cookie as then they don’t need to do anything special beyond cookie things).

Where Next?

Popular in Questions Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
lk-geimfari
What is most correct way to open, read and parse JSON file with poison? For example if we have example.json file in root of some projec...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
vac
Hi, I'm quite new in Elixir and I'm trying to format a string to a PEM format. I have the certificate value like MIIDBTCCAe2...... and ...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
makeitrein
Hey all, just started picking up Elixir last week and am writing a scraper as a learning project. Baby step #1 is extracting the number ...
New
mathew4509
I have a list say x = ["23gh", "56kh", "97mh"] I would like to pass each element to Val in each iteration. Say, in iteration 1 -------...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New

Other popular topics Top

sergio
In Ruby, I can go: User.find_by(email: "foobar@email.com").update(email: "hello@email.com") How can I do something similar in Elixir? ...
New
yawaramin
In the Dialyzer docs ( http://erlang.org/doc/man/dialyzer.html#requesting-or-suppressing-warnings-in-source-files ), there is a way to tu...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: https://hexdocs.pm/ecto/Ecto.Schema.html#module-...
New
AstonJ
You’re a programmer, so you don’t need spoon feeding with the conventional drivel about “this is an integer.” No. You need to know what’s...
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
magnetic
Hey :wave:t3: Elixir community, I’ve been learning Elixir, and working on some side projects. My editor of choice is VSCode, and althoug...
New

We're in Beta

About us Mission Statement