The relays would operate garage doors. So, I want the user to be able to be able to quickly and securely launch the application and operate the doors. I would like to have a system which is almost as easy to use as an existing opener, but with additional features:
- Check the door status from anywhere* - Logging - User, group, and time-based authentication - Without decreasing security (if anything, I want to improve it) * I would only allow the user to operate the door if he/she is in close geographic location compared to the door, for safety reasons. I looked into OAuth, but it does not seem to fit my use-case well. I wonder how difficult it would be to implement PKI auth for this application… On Wednesday, February 9, 2011 12:06:36 AM UTC-5, Eric wrote: > I wouldn't consider using a UUID as multi-factor authentication. > > All our API traffic is over https. We use the basic authentication > included with django-piston. > > Any reason why you want to exchange username and password for an API Key? > Why not just authenticate each request with username and password? > > > > On Feb 8, 2011, at 5:37 PM, Sean W wrote: > > This is a re-post of my stack overflow question here > http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django > > Hi, > > I am in the planning phase a new project. I want to be able to control > multiple relays from my android powered phone over the internet. I need to > use an HTTP based server as a middleman between the phone and the relays. > Django is my preferred platform because Python is my strongest skill set. > This would not be a "web app" (with the exception of the admin interface for > managing the user and their access to the relays). Rather, the server would > simply provide an API in the form of HTTPS requests and JSON encoding. > Though, I should note that I have never done any web development in my life, > so I don't know best practices (yet). The authentication method should meet > the following criteria: > > - Works over HTTPS (self-signed SSL) > - Provides multi-factor authentication (in the form of something you > have and something you know) > - Be reasonably secure (Would be very difficult to fool, guess at. or > otherwise bypass) > - Is simple in implementation for the server operator and end user on > the mobile client > - > > Is lightweight in in terms of both CPU cycles and bandwidth > > I plan to use the following scheme to solve this: > 1. An administrator logs into the web interface, creates a user, and > sets up his/her permissions (including a username and a password chosen > by > the user). > 2. The user starts the client, selects add server, and enters the > server URL and his/her credentials. > 3. The client attempts to authenticate the the user via HTTP auth > (over SSL). If the authentication was successful, the server will > generate > an API key in the form of a UUID and sends it to the client. The client > will > save this key and use it in all API calls over HTTPS. HTTP auth is only > used > for the initial authentication process prior to reviving a key, as a > session > scheme would not be nessessary for this application. Right? The client > will > only work if the phone is configured to automatically lock with a PIN > or > pattern after a short timeout. The server will only allow one key to be > generated per user, unless an administrator resets the key. Hence, > simple, > mobile, multifactor authentication. > > Is this sound from a security standpoint? Also, can anyone point me to an > example of how to use the HTTP auth that is built into Django? From a Google > search, I can find a lot of snipits witch hack the feature together. But, > none of them implement HTTP auth in the wayit was added to Django in > 1.1<http://code.djangoproject.com/ticket/689>. > The official documentation for REMOTE_AUTH can be found > here<http://docs.djangoproject.com/en/1.2/howto/auth-remote-user/>, > but I am having difficulty understanding the documentation as I am very new > to Django. > > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
