Is this login logic via RESTful call sound?

Question

(I am not talking about authenticating calls to RESTful API. I am talking about creating login logic for user via RESTful API.)

When user access any page of my site, a servlet filter will intercept the request and check if necessary authentication info exists in session. If not exists, user will be directed to login page.

On the login page, an ajax call is made to a RESTful API on server with username and password. Depending on the return status of that RESTful API, the JavaScript on the page will decide whether let user into the site. Note that the actual authentication logic is still carried out on server side. Client JS only acts based on the result from server.

On the server, the RESTful login API will check the submitted username/password and see if it is contained in DB. If exists, it will store necessary authentication info into the session so future requests from the same client will not be blocked.

My questions are:

• Is this login logic sound?

• Because session is involved, the RESTful login API is kind of not stateless. So is it still RESTful?

Here's my code:

login.js

// login.js
$(function () {
    $('#submitDiv').click(doLogin);
});

function doLogin() {
    $('#resultDiv').text("start!");
    user = new Object();
    user.username = $('#txtUsername').val();
    user.pwd = $('#txtPassword').val();

    $.ajax({
        headers: {
            'Accept': 'application/json',
            'Content-Type': 'application/json'
        },
        'type': 'POST',
        'url': 'doLogin.sm',
        'data': JSON.stringify(user),
        'dataType': 'text',
        'success': loginSuccessful,
        'complete': function (jqXHR, textStatus) {
            $('#resultDiv').text("complete with:" + textStatus);
        }
    });
}

function loginSuccessful() {
    //if referrer is null, jump to dashboard, else jump to referrer.
    var referer = getUrlVars()['referer'];
    if (referer) {
        window.location.replace(referer);
    }
    else {
        window.location.replace('dashboard.html');
    }
}

login.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <title>My Cloud - Login page</title>
    <link rel="stylesheet" type="text/css"
          href="resources2/css/bootstrap.css">
    <meta charset="utf-8">
    <!--force to use the latest IE engine-->
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="resources2/js/jquery-1.11.3.js"></script>
    <script src="resources2/js/bootstrap.js"></script>
    <script src="resources2/js/pagejs/common.js"></script>
    <script src="resources2/js/pagejs/login.js"></script>
</head>
<body>
    <h1>My Login Page</h1>
    <div id="loginDiv">
        <input id="txtUsername" type="text" value="test">
        <input id="txtPassword" type="password" value="test">
        <div id="submitDiv" class="btn btn-default">
            Login
        </div>
        <div id="resultDiv"></div>
    </div>
</body>
</html>

Answer 1

If your JavaScript decides whether to allow the user to get pages from your site, what is stopping the user from setting a breakpoint in the JavaScript code and changing the outcome of the authentication process?

Authorization decisions need to happen on the server as you can never trust the client (browser).

Your site needs to verify at the server side that the user is authenticated. This is typically done by sending some kind of implicit authentication info along with the request that the server can verify and the client cannot forge.

I don't see that happening in your design. But why are you trying to design your own authentication mechanism? Why not use a standard protocol like WS-Federation, SAML-P, or OpenID Connect for this?

Answer 2

Session state on the client (not on the server)

That's what Roy Thomas Fielding, The REST Godfather, said in his dissertation regarding the stateless constraint:

5.1.3 Stateless

[...] each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client. [...]

So, if you are keeping the session state on the server, it's not REST.

In REST you won't have a session on the server and, consequently, you won't have a session identifier.

Each request must contain all data to be processed

Each request from client to server must contain all of the necessary information to be understood by the server. With it, you are not depending on any session context stored on the server.

When accessing protected resources that require authentication, for example, each request must contain all necessary data to be properly authenticated/authorized. It means the authentication will be performed for each request.

And authentication data should belong to the standard HTTP Authorization header. From the RFC 7235:

4.2. Authorization

The Authorization header field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) response. Its value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested. [...]

Basic authentication

The Basic Authentication Scheme, defined in the RFC 7617, is a good start for securing a REST API:

2. The 'Basic' Authentication Scheme

The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). [...] The server will service the request only if it can validate the user-id and password for the protection space applying to the requested resource.

[...]

To receive authorization, the client

1. obtains the user-id and password from the user,

2. constructs the user-pass by concatenating the user-id, a single colon (":") character, and the password,

3. encodes the user-pass into an octet sequence,

4. and obtains the basic-credentials by encoding this octet sequence using Base64 into a sequence of US-ASCII characters.

[...]

If the user agent wishes to send the user-id "Aladdin" and password "open sesame", it would use the following header field:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

[...]

Remember the HTTPS is your best friend to prevent the man-in-the-middle attack.

Tokens

If you don't want sending the username and the password over the wire for every request, you can consider creating a token based authentication. In this approach, you exchange your hard credentials (username and password) for a token which is sent in each request.

Again, the authentication must be performed for every request.

Basically, the token can be opaque (which reveals no details other than the value itself, like a random string) or can be self-contained (like JSON Web Token).

• Random String: A token can be issued by generating a random string and persisting it to a database with an expiration date and with a user identifier associated to it.

• JSON Web Token (JWT): Defined by the RFC 7519, it's a standard method for representing claims securely between two parties. JWT is a self-contained token and enables you to store a user identifier, an expiration date and whatever you want (but don't store passwords) in a payload, which is a JSON encoded as Base64. The payload can be read by the client and the integrity of the token can be easily checked by verifying its signature on the server. You won't need to persist JWT tokens if you don't need to track them. Althought, by persisting the tokens, you will have the possibility of invalidating and revoking the access of them. To find some great resources to work with JWT, have a look at http://jwt.io.

There are many databases where you can persist your tokens. Depending on your requirements, you can explore different solutions such as relational databases, key-value stores or document stores.