问题描述:

I have an PHP web site that I am connecting to a mobile application via a RESTful JSON API.

From what I know its imperative that I keep the concepts of Get/Post separated. However we're attempting to do this in a secure manor. Right now on every request we pass a public_key and hash. The public_key is used to identify the user making the request and the hash is used to authenticate them.

The hash is built off of a few factors including a private key held by both parties. And the web sever builds a hash and authorizes the request if the sever built hash matches the passed in hash.

However right now we're doing this in a post, to send the information via JSON.

{

"auth_map":{

"pubkey":"a40834b928803e358d6acb74b41e43e419d0d7f983570d9063a910781458a3a",

"hash":"9522903fcac35d75d5290804c173756250319da5beb727f13937206948edf52ed"

}

}

With the endpoint being a url.com/api/v1/items

This endpoint should be used with an Http Get to get back all the items. But right now we're forced to doing a post even though were not sending or adding a list item to the server.

Is there a better way to be doing this? Should I be doing a base64 encoding of the auth and pushing it into a basic http auth header? Any recommendations would be great.

相关阅读:
Top