App password to ProcessWire

[anttila]

We are developing an App that sends data over the Internet to ProcessWire (POST/JSON). We want password to be protected somehow when sending it, but I should be able to compare it to PW's passwords. We were thinking of using md5 encryption, but PW uses different encryption.

How can I be sure that user has active account when they use the App?

[gebeer]

You might want to have a look at my REST API tutorial.

It implements basic HTML authentication which is a standard that is quite secure when used over SSL.
If you use that appoach, then you need to to send base64-encoded credentials (username:password) when your App authenticates with PW.
Then on the PW side you need to decode those into username and password. See how this is done in the Rest Helper php
Then do the login attempt with $session->login('username', 'password'); to see whether the credentials are valid.

 

 

 

[anttila]

They don't actually login to the website when they use the API - I just need to know if the password is correct and send confirmation or false. Although, I could use $session->login to check if the credentials are valid. Thanks for help, I'll look into it.

[BitPoet]

2 hours ago, anttila said:

Although, I could use $session->login to check if the credentials are valid.

Do that. Rely on the built-in mechanisms for user authentication and authorization as much as you can, and you have already eliminated three quarters of the security pitfalls of writing a client app. Let your app deal with regular http status codes like 401 instead of custom status messages and you have another ten percent.

[LostKobrakai]

And be sure to use https as always