Secured RESTful API that can is used by Web App

You seem to be confusing/merging-different concepts together. We start of talking about encrypting traffic (HTTPS) and then we start talking about different ways to manage authenticate D sessions. In a secure application these is not mutually exclusive tasks. There also seem to potentially is a misunderstanding how session management can impact authentication. Based on that I'll provide a primer on Web Application/web API session management, authentication, and encryption.

Introduction
Session Management

HTTP transactions is stateless by default. HTTP does not specify no method to let your application know a HTTP request have been sent from a specific user (auth Enticated or not).

For robust Web applications, this is not acceptable. We need A to associate requests and data made across multiple requests. To does this, on initial request to the server a user needs to be assigned a "session". Generally sessions has some kind of the unique ID that's sent to the client. The client sends this session ID with every request and the server uses the session ID sent in every request to properly p Repare a response for the user.

It's important to remember, a ' session ID ' can be called many other things. Some examples of those are:session tokens, tokens, etc. For consistency I'll use ' session ID ' for the rest of this response.

Each HTTP request from the client needs to include the session ID; This can is done in many ways. Popular examples is:

It can be stored in a cookie-cookies for the current domain is automatically sent on every request.
It can sent on the Url-each request could send the session ID in the URL, not suggested since session IDs would stay I n The Clients History
It can sent via as a HTTP Header-each request would need to specify the header
Most Web application frameworks use cookies. However application, rely on JavaScript, and single page designs opt-in, HTTP header/store it in some other lo Cation that's observable by the server.

It's very important to remember, the HTTP response that notifies the client of their session ID and the client's requ ESTs that contain the session ID is completely plain text and 100% unsafe. To battle this, all HTTP traffic needs to be encrypted; That's where HTTPS comes in.

It is also important-to-point out we had not talked on linking a session to a specific the user in our system. Session management is just associating data to a specific client accessing our system. The client can be in both authenticated and unauthenticated states, but the both states they generally has a session.

Authentication

Authentication is where we link a session to a specific user in our system. This was generally handled by a login process where a user supplies credentials, those credentials was verified, and then W E Link a session to a specific the user record in our system.

The user is in turn associated with privileges for fine grained access control via access control lists and access control Entries (ACL and ACE). This is generally referred to as "Authorization". Most system always has both authentication and Authorization. In some simple systems all authenticated users is equals in which case you won ' t has authorization past simple authentic ation. Further information on the is out of the scope for this question, but consider reading about Ace/acl.

A specific session can be flagged as representing A authenticated user in different ways.

Their session data stored server side could store their user id/some other flag this denotes that the use is Authenti cated as a specific user
Another user token could is send to the client just like a session ID (which over unencrypted HTTP is just as unsafe as sending a session ID unencrypted)
either option is fine. It generally comes down to the technology is working on and what they offer by default.

A client generally initiates the authentication process. This can is done by the sending credentials to a specific URL (e.g. yoursite.com/api/login). However if we want to is ' RESTful ' we generally would referencing a resource by some noun and doing the action of ' create ' . This could is done by requiring a POST of the credentials to yoursite.com/api/authenticatedsession/. Where the idea would is to create a authenticated session. Most sites just POST the credentials To/api/login or the. This was a departure from ' true ' or ' pure ' RESTful ideals, but most people find this a simpler concept rather than thinking of it as "creating an authenticated session".

Encryption

HTTPS is used to encrypt HTTP traffic between a client and server. On a system this relies on authenticated and unauthenticated users, all traffic this relies on a user being authenticated Needs to be encrypted via HTTPS; There is no-around this.

The reason for it is so if you authenticate a user, share a secret with them (their session ID, etc) and then begin to Parade that secret in plain HTTP their session can is hijacked by man-in-the-middle attacks. A hacker'll wait for the traffic to go through an observed network and steal the Secret (since its plain text over H TTP) and then initiate a connection to your server pretending to be the original client.

One-of-a-people combat this was by associating the requests remote IP address to an authenticated session. This was ineffective alone as any hacker would be able to spoof their requests remote IP address in their fake requests and Then observe the responses your sever was sending back. Most would argue, this is not even worth implementing unless you are tracking historical data and using it to identify A specific user ' s login patterns (like Google does).

If you need-to-split up your site between HTTP and HTTPS sections, it's imperative that the HTTP traffic does not send or Receive the session ID or any token used to manage the authentication status of a user. It is also important so do not send sensitive application data within Non-https requests/responses.

The only-to-secure data within Web Applications/apis is to encrypt your traffic.

Your Topics one by one
Basic-http-auth

Authentication:yes
Session Management:no
Encryption:no
This is a method of authenticating by Web resource only. Basic authentication authenticates uses by the resource identified by URL. This is most popularly implemented by Apache HTTP Web Server with the use of. htaccess based directory/location Authentic ation. Credentials the sent with the each request; Clients generally handled this transparently for users.

Basic authentication can used by and other systems as a mode of authentication. However, the systems that utilize Basic-http-auth is providing authentication and session management, not the basic-http- Auth itself.

This is the not session management.
This is not encryption; Content and credentials is nearly 100% plain text
This does is not secure the contents of the application ' s HTTP request/responses.
Digest-auth

Authentication:yes
Session Management:no
Encryption:no
This is exactly the same as Basic-http-auth and the addition of some simple MD5 digesting. This digesting should is relied upon instead of using encryption.

This is the not session management.
This is not encryption; The digest is easily broken
This does is not secure the contents of the application ' s HTTP request/responses.
Oauth

Authentication:yes
Session Management:no
Encryption:no
OAuth just lets you has an external service validate credentials. After which it is, the manage/work with the result of authentication request to your OAuth provider.

This is the not session management.
This is not encryption; Your sites traffic is still plain text. The authentication process would be secure due to HTTPS restrictions, but your application is still vulnerable.
This does is not secure the contents of the application ' s HTTP request/responses.
Gangster Handshake/custom HTTP Header

Authentication:yes, potentially
Session Management:yes, potentially
Encryption:no
"Custom HTTP Header" is a type of "gangster handshakes"; As such I'll use the same sections to discuss them. The only difference are a "Custom HTTP header" is specifying where the Hanshake (session ID, token, user Authenticatio n Toke, etc) would be stored (i.e. in a HTTP header).

It's important to note that these does not specify how authentication would be handled, nor does they specify how session Mana Gement'll be handled. They essentially describe how and where session ids/authentication tokens would be stored.

Authentication would need to is handled by your application or via a third party (e.g. OAuth). Session management would still need to being implemented as well. The interesting thing is your can choose the merge the If you wish.

This is not encryption; Your sites traffic is still plain text. The authentication process would be secure due to HTTPS restrictions if your use OAuth, but your application is still Vulner Able.
This does is not secure the contents of the application ' s HTTP request/responses.
What are need to do
... I highly suggest you do sure that's understand that a robust web application which is secure needs the following:

Encryption (HTTPS is pretty much your only choice)
Session Management
Authentication/authorization
Authorization relies upon authentication. Authentication relies upon session Management and encryption makes sure the session isn ' t hijacked and that the credential S is not intercepted.

Flask-login

I think you should look into flask-login as a and avoid re-implementing the wheel. I have personally never used it (I use pyramid for Web applications in Python). However, I had seen it mentioned before in Web Application/python boards. It handles both authentication and session management. Throw your web api/application through HTTPS and you had all three (encryption, Session Management, and User Authenticati ON).

If You do Not/can not use Flask-login, being prepared to write your own, but does the do the first on how to create secure auth Entication mechanisms.

If at all possible, if you don't understand how to write a authentication procedure please don't attempt it without fir St Learning how hackers use pattern based attacks, timing attacks, etc.

Please Encrypt Your traffic

... move past the idea, you can avoid using HTTPS with some "clever" token use. Move past the idea, should avoid using https/encryption because "its slow", process intensive, etc. It is process intensive because it's an encryption algorithm. The need to ensure the safety of your user's data and your applications data should always being your highest priority. Want to go through the horror of notifying your users, their data was compromised.

Secured RESTful API that can is used by Web App