we want to develop a Phonegap driven web app for our end users so that they can access and modify their personal data on our library management system (LIS) via it’s REST API endpoints. Since the only two layers of security provided by the LIS are API keys and a generic Access Management on the API Level we feel that we need to improve the security a lot.
Below you’ll find our work-in-progress definition of what a secure access to our LIS API means for us. It would be great if you could skim it and give us your opinion on whether this would be doable with the Dreamfactory Service Platform (DSP) and if our ideas can be called “secure” at all.
An ideal secure(?) request from our app via DSP
- Initial Request from the mobile app (client) to DSP with an API Key provided by DSP during definition of custom service endpoint. This will be stored somewhere in the source code of the client. Furthermore a username and password provided by the users through a normal web form are send along with the request.
- The DSP evaluates the incoming API Key. If it’s valid it performs step 3. Otherwise it sends back an error message to the client.
- The DSP issues a request to an external authentication server (in our case CAS) with the username and password provided by the request in step 1.
- If the DSP receives a positive response from the authentication server it proceeds with step 5. Otherwise it sends back an error message to the client.
- The DSP creates an access token and sends it back to the client.
- The client now makes the necessary request(s) using the access token.
- The DSP checks if an access token is present and if it is valid (regarding it’s syntax and expiration date). If the access token is valid the DSP routes the request to our LIS API with the necessary API key for the LIS API that will be pulled in from a lookup key stored on the DSP. If the access token is not valid (e.g. has expired) the DSP sends back an error message to the client.
Skimming the DSP documentation it seems that we’ll have to recur to Server Side Scripting (especially for step 3 and step 4) and implementing oAuth (step 5).
Best regards and thanks, Matthias