I have a Rails 4.X app using devise and devise_token_auth. I want to encrypt the email and password while calling this app.
Here is the server side code:
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
include DeviseTokenAuth::Concerns::User
gem 'devise'
gem 'devise_token_auth'
gem 'omniauth'
This is my curl call (with username and password in clear text)
curl -v -H 'Content-Type: application/json' -H 'Accept: application/json' -X POST http://localhost:3000/api/auth/sign_in -d "{\"email\":\"user@gmail.com\",\"password\":\"aaaaaaa"}"
I know I can use https to secure the initial call. But is there any other way to send the user name and password encrypted (without using https)? Thanks!
You could implement challenge-response authentication as specified in RFC 7616 . This would protect the password sufficiently over a plaintext channel. However, this method is inherently prone to man-in-the-middle attacks . Another issue is that this method relies on a shared secret which is impairing safe storage of the password on the server side.
My advice were to use the basic authentication scheme as specified in RFC 7617 over a secure channel (ie https). This is relatively easy to implement and established practice.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.