Security¶
DIY Surveys offers Basic and HMAC authentication for API calls. Callbacks can also use HMAC authentication.
[!NOTE] To use any security approach, you need access to an account and must set up access tokens for development.
Basic authentication¶
Basic authentication is supplied through the request header.
A Basic Access Token can be created in your DIY Surveys account. The AppId is used in the authentication header:
Authorization: Basic AppId
[!NOTE] Basic Authentication is intended to make testing easy with tools such as Postman. HMAC Authentication is recommended for production applications.
HMAC authentication¶
HMAC authentication calculates a message authentication code using a hash function and a shared secret between the client and server.
An HMAC access token includes:
| Attribute | Description |
|---|---|
AppId |
Application ID used in the encryption/decryption process. |
Secret |
Secret used by the client. |
Encryption process¶
Step 1¶
The client builds a string by combining the request data. The string contains six parameters concatenated with no delimiter:
- AppId.
- HTTP method.
- Request URI.
- Request timestamp.
- Nonce.
- Base64 representation of the request payload/body.
The request timestamp uses UNIX time: the number of seconds since 1 January 1970. The nonce is an arbitrary value used only once.
Step 2¶
Hash the string using SHA-1 and the API key. The result is the request signature.
Step 3¶
Send the signature in the Authorization header using the X-DIY-Signature scheme.
Authorization: X-DIY-Signature APPId:Signature:Nonce:Timestamp
Step 4¶
Send the request normally with the generated authorization data.
Decryption process¶
Step 1¶
The server receives the request and extracts the AppId, signature, nonce, and request timestamp from the authorization header.
Step 2¶
The server looks up the AppId in a secure repository to retrieve the API key for that client.
Step 3¶
The server validates that the request is not a replay request. This uses the timestamp and nonce included in HMAC signature generation. The server checks whether the nonce has been used before within acceptable bounds, such as five minutes.
[!NOTE] If the client is receiving a callback request, the timestamp and nonce checks do not apply.
Step 4¶
The server rebuilds a string using the same data and ordering used by the client.
Step 5¶
The server hashes the rebuilt string using SHA-1 and the same API key. If the generated signature matches the supplied signature, the call is authentic. Otherwise, the server returns HTTP 401 Unauthorized.