Mobile App talking to API - authentication question

HI,

I am building a mobile app (using phonegap) which speaks to an API.

In this app, users need to register and log in in order to use the app. For this I have built an API ( served only over https ). I am just wondering what the best way is to sort the authentication.

At the moment when you log in, it checks email address and password. If the combination is found in the database, I am returning a randomly generated key with 50 characters ( uppercase, lowercase, numbers and a few special characters ). The app is then storing this key in local storage.

Whenever the app does an api call, the key is added to the header. Before the API does anything, it checks the key and checks if it is valid. Only once validated the rest of the api call is performed.

The tokens are stored at the api side in the database along with an expiry date and the user agent. If the user agent is different to the one that was used to create the token, the token is immediately invalidated and deleted.

Is this a relatively safe method or are there any security risks?

Thanks

 

What you are returning is a token, not a key.
Key is something constant, specific to the app or the developer.
Tokens are generated on the fly, for a particular session, for a specific time.

When a user needs to authenticate, the app sends the user to your website, passing the Key in headers.
When user authenticates successfully, then a token is generated for a defined expiry time, and this is returned back to app.
This is what you are returning, a TOKEN, not a KEY.
Key is completely missing from your flow process.


Now whenever app makes a request, it sends both its developer KEY, and the TOKEN to your server, in headers.
Your server checks both if KEY is valid, and if TOKEN is valid, and processes the request, logging the KEY and the activity requested.

With just the token, and without the KEY, there is no way of knowing which developer app sent the request.

Suppose 5 people made 5 apps using your API.
Each app sends the user to your website for authentication. User enters their email/password to login.
You returned the token to the app.
Can you tell which of the 5 apps is making the request? No.
If an app keeps sending bogus requests, overloading your server, there is no way of knowing which app to block, since there is no developer key...

If you are the only one who would make an app, API is not public, even then use the developer KEY check instead of user agent check.
If someone steals the token, they cannot steal the developer key, cause that is hard coded in your app.
The token can be stolen because your server is returning it as an "output" to a https request, later sent as "headers" back to you.
But the developer key always stays in headers, never visible.

The user agent check is useless. Its so simple to fake a user agent...

I hope I understood your question correctly.

 

Thanks for explaining.

Just to explain, the API will not be public and as far as planned there will only be one app be made using this api.

While it is easy to fake the user agent, in order to validate the token you would need to know that you also need the exact user agent. If you just have a token it is useless.

Also it is possible to return the api token via the header.

Anyway my general question was if the the method of using tokens and submitting them via header is a good way to do this or if I should be doing it a more secure way.

 

I think sending in headers is good enough.

 

Thanks

 

Welcome