How to secure a REST API between mobile app and the server


#1

My project include a web application, a mobile app and a REST API module.

The mobile app is made with Ionic 3 for android and uses a REST API located to an address like example.com/api.php on a server with https. The API has access to a MySQL database.

For the users who access the API I have to create the login/access to API function/logout since they already have the accounts created in the web application.

The main concern is to implement a secure login. Meaning, if someone tries to access my API without authorization (knows the address, the functions name or the used parameters name) to recive an error message. In order to access the API you must be logged in and to have the right to acces a certain section (I have multiple levels of access).
But how can I detect if an user that access my REST API is logged in and has the proper rights?

The plan:

  1. For the login step
    In order to access the REST API I have to login with username/password in app. I check if the credentials are correct (if the user exists then I determine the access level) and return a JWT with the user ID and other parameters if necessary (a token). Store in phones local storage the JWT.

  2. To secure the access to REST API functions
    The question is: HOW DO I DO THAT? How do I access secure a function from my REST API?

  • for every request that I make to the REST API should I send also the token from the Local Storage and verify it on the server side?
  • how do I perform the validation on the server? Do I store the token on the device and also on the server and compare them for each request?

Thanks a lot!


#2

Very often this is done with JWT or a token based OAuth system. You login at a freely available endpoint. If it works, you get something back that you send with all other requests. The backend can use the “something” to find out if you logged in successfully before.


#3

Thank for your suggestion.


#4

Follow up discussion: How to secure communication between Ionic app and the custom php REST API


#5