Security authentication compatible with REST API

[juanseb]

Hi, I'm trying a project in which I plan to open a physical slot with a RFID Card, This attempt should be registered by software and updated in the server via GET/POST.

I don't know how to link the RFID with the user/password in the server (It's a Ruby on Rails App). Could be a good idea to put in the RFID the user (or user id) and the password digest? What is it done in similar situations?

I heard I shoud use JWT session authentication but apart from that, not sure how to proceed.

Thanks.

[bzt]

I don't know how to link the RFID with the user/password in the server

Well, if there's only one RFID per user, you can add a new coloumn to the users table in your database. Otherwise I'd suggest to use a new rfiduser table. If you have an SQL database, that would be:

Code: Select all

SELECT users.* FROM rfiduser LEFT JOIN users ON rfiduser.userid=users.userid WHERE rfiduser.rfid='x';

Anyway, I think you should have two different authentication levels:
1. RPi should use SSL/TLS with client certificate validation to access the REST API (apache and libcurl can be configured easily to do so). You do not pass the user/password, only the RFID along with the REST request, and maybe a long API key that you can check from your Ruby code.
2. users using the server's web interface use the usual user/password authentication

The point is, you move the logic to the server side, where your Ruby code can get the user's record using only the RFID (because of the SSL/TLS, cert auth and API key, this should be secure enough even without a password). The other option would be to connect RFID to user/pass on the RPi side and play a web login with the REST API, but that poses several managability and security issues (how would you keep the user/pass database up-to-date on the RPi securely?).

Cheers,
bzt