I am writing a mobile client for an online store. I wrote a REST API to access data on a server. Now I need to authenticate the user.
I read a lot about this and came up with a simple solution.
Firstly, when the user first launches the application, he must enter exactly the password and login from the online store account. In this case, the password is somehow sent to the server and verified, after which the user receives a response.
If everything is in order, the user gets toke access, which can be used in the future to access personal data. If not, get a simple deny message.
I have a few questions:
What is the best way to send a password and login for the first time to get an access token. Encrypt the password using some algorithm, and then send it via simple HTTP or establish an HTTPS session and simply use this channel to transmit data over the network. In this case, the password does not need to be encrypted, use the public / private keys provided by HTTPS?
Is it possible to send this request as a POST method via HTTPS, for example, using the following URL / api / v0 / store / auth? Or is it better to do it differently.
In all cases where HTTPS is used, do I need a self-signed certificate?
I would be grateful for any help. Thanks in advance.
CROSP source
share