The current REST API uses a very simple shared secret model for verifying messages from plugins/connectors, which is good for most cases but I think going forwards we need to support a more secure method.
My proposal for this is to use message signing based on oAuth, so that as well as an API Key, we also store an API Secret. The connector framework creates messages as normal, but will sign any messages sent to Wookie using the API Secret and a randomly generated Nonce. (i.e. messages will contain the API Key and Nonce, but not the API Secret)
Wookie can then authenticate the message by looking up the API Secret associated with the provided API Key, adding the Nonce, and verifying the message signature.
This could be implemented using the standard net.oAuth package utilities rather than requiring a lot of new code; the main extensions would be:
- enhancements to the Connector Framework
- addition of a API_Secret property for the API Key class, and a Nonce cache (to prevent replay attacks)
- extension of WidgetKeyManager to generate and send the API Secret on registration of an API Key
- extension of WidgetKeyManager.isValidRequest() to check message signatures as well as validity of API Key
I would envisage this not being needed for the admin APIs, which is secured according to the servlet container configuration.
Its important that the details at the plugin end are handled by the connector framework rather than make plugin developers jump through more hoops - the only extra step should be having to paste in the API Secret when configuring a new plugin that uses the connection framework.