Forum Discussion

eyee's avatar
eyee
Contributor
10 years ago

How to use the REST API securely

Hi, I'm using the REST API v1 to retrieve a blog post using the api session keys. Currently my community uses http to access the REST api and I'm concerned on how I'm retrieving the token. I don't have SSO enabled, so my URL to request a token looks something like http://<community  url>/restapi/vc//authentication/sessions/login?user.login=<user name>&user.password=<password>. I'm concerned someone in the middle can see the user name and password since it's not https.

 

What's the recommended way to securely retrieve the blog post? The blog post content requires a user to sign on to view them, so they're not public. But the user we're currently using can see other private posts that's not limited to the blog, so I don't want the user name and password to be seen.

  • You should be able to have your community configured so that you can make the /sessions/login call over HTTPS.  If it's not already configured to do so, I would recommend filing a support case to have it set up.

5 Replies

  • DougS's avatar
    DougS
    Khoros Oracle
    10 years ago

    You should be able to have your community configured so that you can make the /sessions/login call over HTTPS.  If it's not already configured to do so, I would recommend filing a support case to have it set up.

  • PaoloT's avatar
    PaoloT
    Lithium Alumni (Retired)
    10 years ago

    If setting up SSL is a problem (it shouldn't be...) you should also be able to proxy your call trough an endpoint.

     

    1. Web Page calls Lithium Endpoint 
    2. Code in Lithium Endpoint verifies who the logged user is (or any other required checks) and then retrieves the content (could be via restadmin)

     

    Of course - the feasibility of this approach depends on what kind of checks you need to perform to serve the content, and you should also avoid creating a "backdoor" that someone could exploit to retrieve content they are not meant to see.

  • eyee's avatar
    eyee
    Contributor
    10 years ago

    So the rest of the site would remain http and only certain parts of the site, like login can be accessed over https? Because I've tried using https://<community  url>/restapi/vc//authentication/sessions/login?user.login=<user name>&user.password=<password> and I'll get an error. But it sounds like this is simply a configuration issue?

  • PaoloT's avatar
    PaoloT
    Lithium Alumni (Retired)
    10 years ago

    Hi eyee

     

    what kind of error are you getting? A certificate error? If this is the stage website, it may be that SSL has not been enabled there, if it's production I suggest raising a Support case to get it looked at.

     

    In terms of SSL setup, we can configure it to be off for all pages, enabled for PII pages or force the entire community over SSL. We can also configure the APIs to be served over SSL (as DougS already suggested).

     

    Regards,

  • eyee's avatar
    eyee
    Contributor
    10 years ago

    Thanks. I believe it's actually a production site and it's disabled. I'm not entirely clear on the details of why SSL isn't enabled on the site and I'll look into it.