HTTP Basic Auth API credentials - is my method secure enough?

Need help APIs
1

Hey all,

I’m calling the Jira Software API which requires Basic Auth (Username and Password, the password is an API key that the user generates in Jira).

I managed to get it working which is great, however I’m unsure if the way I’m doing it is secure and wondered if anyone could give a few pointers on the following:

  1. I’m storing the users API key as a field in the User data type. I’ve got a privacy rule setup so that only the current user can view it. Is that secure enough?

  2. I’ve created a repeating group for showing the results from the Jira API. I’m passing in the current users email, api key and jira url via the Repeating Group data source (see screenshot). Is this good practice? The user would have a settings portal where they can maintain those values.

Screen Shot 2020-12-10 at 22.34.35
Screen Shot 2020-12-10 at 22.34.352010×1112 335 KB

  1. In the API connector I’ve set variables in the endpoint url where I pass in the url, username (email), and password (api key). In order to set them dynamically based on the current logged in user I’ve had to uncheck Private. Should that concern me?

Screen Shot 2020-12-10 at 22.36.56
Screen Shot 2020-12-10 at 22.36.562382×1062 187 KB

Any help or suggestions very welcome.

Thanks
Dan

2 Likes
2

Hello Dan,

A couple questions/comments:

  1. If the user were to gain access to their own API Key and username (download them and use them elsewhere), would that be an issue? If so, then this isn’t a secure setup. If that’s not an issue, and the privacy rules prevent anyone other than that user from seeing their API Key, then it should be secure.
  2. Is there any way to send the Username and Password in the headers of the API call instead of in the URL? That should be a little more secure, but not by much (https://stackoverflow.com/a/5518085)

Hope that’s helpful,
Chris

1 Like