Forum Discussion

eyee's avatar
eyee
Contributor
10 years ago

How to use the REST API securely

Hi, I'm using the REST API v1 to retrieve a blog post using the api session keys. Currently my community uses http to access the REST api and I'm concerned on how I'm retrieving the token. I don't have SSO enabled, so my URL to request a token looks something like http://<community  url>/restapi/vc//authentication/sessions/login?user.login=<user name>&user.password=<password>. I'm concerned someone in the middle can see the user name and password since it's not https.

 

What's the recommended way to securely retrieve the blog post? The blog post content requires a user to sign on to view them, so they're not public. But the user we're currently using can see other private posts that's not limited to the blog, so I don't want the user name and password to be seen.

  • DougS's avatar
    DougS
    10 years ago

    You should be able to have your community configured so that you can make the /sessions/login call over HTTPS.  If it's not already configured to do so, I would recommend filing a support case to have it set up.

  • DougS's avatar
    DougS
    Khoros Oracle
    10 years ago

    You should be able to have your community configured so that you can make the /sessions/login call over HTTPS.  If it's not already configured to do so, I would recommend filing a support case to have it set up.

    • eyee's avatar
      eyee
      Contributor
      10 years ago

      So the rest of the site would remain http and only certain parts of the site, like login can be accessed over https? Because I've tried using https://<community  url>/restapi/vc//authentication/sessions/login?user.login=<user name>&user.password=<password> and I'll get an error. But it sounds like this is simply a configuration issue?

      • PaoloT's avatar
        PaoloT
        Lithium Alumni (Retired)
        10 years ago

        Hi eyee

         

        what kind of error are you getting? A certificate error? If this is the stage website, it may be that SSL has not been enabled there, if it's production I suggest raising a Support case to get it looked at.

         

        In terms of SSL setup, we can configure it to be off for all pages, enabled for PII pages or force the entire community over SSL. We can also configure the APIs to be served over SSL (as DougS already suggested).

         

        Regards,

    • PaoloT's avatar
      PaoloT
      Lithium Alumni (Retired)
      10 years ago

      If setting up SSL is a problem (it shouldn't be...) you should also be able to proxy your call trough an endpoint.

       

      1. Web Page calls Lithium Endpoint 
      2. Code in Lithium Endpoint verifies who the logged user is (or any other required checks) and then retrieves the content (could be via restadmin)

       

      Of course - the feasibility of this approach depends on what kind of checks you need to perform to serve the content, and you should also avoid creating a "backdoor" that someone could exploit to retrieve content they are not meant to see.