I’m writing a desktop application that has to authenticate user credentials (Like skype, league of legends or spotify) against a remote datastore.
Is there a recommended way of safely transferring this data to a remote server? I read online one possibly way of doing this is for the client to make requests to a web api via https GET requests but I wanted to verify if this was a good idea or if there were other recommended ways.
Also - If the above method is actually the preferred way, what is application logic I would need to write in order to validate the certificate sent from the server?
I’m writing a desktop application that has to authenticate user credentials (Like skype, league of legends or spotify) against a remote datastore.
Is there a recommended way of safely transferring this data to a remote server? I read online one possibly way of doing this is for the client to make requests to a web api via https GET requests but I wanted to verify if this was a good idea or if there were other recommended ways.
Also - If the above method is actually the preferred way, what is application logic I would need to write in order to validate the certificate sent from the server?
Thanks!
This isn’t really a wxPython question, but more of a Python question. You’ll probably need to use HTTPS or similar if you really require security. See the following link for one method of sending information:
Since this could be a time consuming process, you’ll probably need to put it into a thread, so you’ll want to read one or both of the following if you plan to use wxPython:
I'm writing a desktop application that has to authenticate user
credentials (Like skype, league of legends or spotify) against a
remote datastore.
Is there a recommended way of safely transferring this data to a
remote server? I read online one possibly way of doing this is for
the client to make requests to a web api via https GET requests but I
wanted to verify if this was a good idea or if there were other
recommended ways.
Do you already have an authentication scheme in place? Is that why
you're leaning towards HTTP? If the data is in mysql, you can read from
that directly. No need to go through a web server.
Also - If the above method is actually the preferred way, what is
application logic I would need to write in order to validate the
certificate sent from the server?
urllib2 already knows how to handle https URLs.
···
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
Thanks for the resources Mike. I will work on setting up HTTPS with python.
Tim - Do you suggest I connect to a mysql database like so?
#!/usr/bin/python
import MySQLdb
db = MySQLdb.connect(host="localhost", # your host, usually localhost
user="john", # your username
passwd="megajonhy", # your password
db="jonhydb") # name of the data base
# you must create a Cursor object. It will let
# you execute all the query you need
cur = db.cursor()
# Use all the SQL you like
cur.execute("SELECT * FROM YOUR_TABLE_NAME")
# print all the first cell of all the rows
for row in cur.fetchall() :
print row[0]
My issue with this is that I am distributing a compiled binary with the mysql user name and password. Let’s say for example 1,000 people download and install my desktop application and then my mysql username/password gets leaked so anyone can directly query the database. If I change the password for that mysql user then those 1,000 have to download and install the new app with the new username/password combination compiled into the binary.
However if I create a web api so the client can query that api to make requests via https GET requests then I won’t have this problem because the credentials for the mysql user reside on the web node between the client and database, not on the client.
In addition I plan on having some redis logic with expiring data on this web node between the desktop client and the server running the mysql database to rate control clients based on the number of requests they have made during a particular time interval.
Based on my use case and comments can someone make a recommendation to allow users to directly query the database or should requests be sent to a web api which will query the database? As far as I can see, from a security standpoint there is no safe way to distribute a compiled binary with the mysql username/pass so users can query a remote database for my use case, but I just wanted some confirmation since I’m new to all this.
···
On Monday, July 8, 2013 2:13:15 PM UTC-4, Tim Roberts wrote:
RedHotChiliPepper wrote:
I’m writing a desktop application that has to authenticate user
credentials (Like skype, league of legends or spotify) against a
remote datastore.
Is there a recommended way of safely transferring this data to a
remote server? I read online one possibly way of doing this is for
the client to make requests to a web api via https GET requests but I
wanted to verify if this was a good idea or if there were other
recommended ways.
Do you already have an authentication scheme in place? Is that why
you’re leaning towards HTTP? If the data is in mysql, you can read from
that directly. No need to go through a web server.
Also - If the above method is actually the preferred way, what is
application logic I would need to write in order to validate the
I recommend not hard coding user names and passwords.
I recommend to create a separate dialog in your app to create a local file on initial use or to login each time.
It is pretty much the standard way for so many security reasons. If a user is fired or banned or changes job position what is to prevent them from making a copy of your app. They don’t need to reverse engineer it. They can just use it. And it is a hassle for users, administrators and developers to download a new version of the app to each user each time a password needs to be changed.