Say I want to build a public API to access a website that doesn't have one. The website is protected by a standard username/password scheme and the API implementation will use scraping to get the data from it.
What would be the best way to handle passwords in this scenario?
My current best idea is this. Get the username and password in an HTML form on my site (the same one that serves the API), and generated a URL to access the API that includes an encrypted blob of username+password. The encryption is symmetric AES256 based on a key stored only on the API server. When the user will access the API URL, the API server will decrypt the credentials and access the remote website.
As an additional level of protection, I'm thinking of running the API as CGI, so that only a short lived process is ever exposed to plaintext credentials.
Does that make any sense? Are there any standard solutions to this kind of problem?
[Edit]
Possible duplicate: How to store passphrase in this situation?
Aucun commentaire:
Enregistrer un commentaire