So I have been thinking about a way to make a secure restful API for ios logins.
This is what my teacher and I have come up with:
- The Client (swift program) initializes the connection with the server.
- The Server returns a "shared secret" (ex. +40) and a hash of a random string of letters and numbers.
- The Client then hashes the Username and Password (separate) and sends it back with the hash of: hash + "the shared secret".
- After the Server sends data (step 2) the server hashes [hash + "shared secret"] and then updates it in the db
- The Server then receives the hashed value from the Client and checks the db to see if it matches
- The db will also have a timestamp that if not updated frequently enough there will be a function that runs through the db and drops the items that are no longer used.
- For every request after the login the bearer token is sent.
The bearer token will follow this formula: Request verification token = hash [ (original hash) + (shared secret) * (# of requests) ]