RESTful API authorisation through client
I'm currently writing an API to service my web APP. The APP is very client
side oriented, having javascript handle routing and rendering etc. in the
front end. To increase scalability the API is a completely separate
resource. Having this setup I need to continually call the API from the
front end to receive different types of data.
Some of the services exposed by the API should be accessible only to the
authorised user. So whenever users log in they are authorised server side
and an access_token is created which should be passed through the HTTP
Auth. header or as a query string for every request to a protected
service. My concern is that to automate the authorised requests and avoid
compromising the 'RESTfulness' of the API that i would need to store the
access_token in the client side cache short term and as a cookie for
returning users.
My question is, does it make sense to authorise in this fashion? I feel i
don't need to use oauth at this development stage because the API only
will be utilised by the APP itself. Moreover is it safe to store a 'long
lived' token in the client cache or in a cookie to persist the logged in
state?
No comments:
Post a Comment