I have created a resource with only uses the base API url
I'm using a Query in my APP where i store my Client ID and Client Secret in the body to get the bearer token.
This token expires in 3000
My plan is to setup a query to post the file to our file storage.
Note I have never used API before and is in the process to learn this now.
As the Client Secret is stored as plane text in the query, I have security question to this?
maybe set up 2 resources, One with Client ID and Client Secret and one using the token from the first?
How to Post file but request new token if it has expires
Just wondering: Is this your own file storage or is it a service like drive/Dropbox?
Usually you have a client secret that you send as a header to the service. You’ll receive a token or a session id. The token you store on your client side. For instance in a variable, local storage or in memory. I guess you do not really need to store it. I do not now if it makes a different security wise though. I imagine you can extract the token from a variable or as a result from a rest request either way. That’s why you let it expire.
The token can be set in a header in the second request. So it doesn’t have to be in the body. Also I do not know if it would have any effect on security if it is in the body or in the header. Seems to me that both can be extracted.
Secrets, passwords and client_ids should usually be stored in environment variables. You can read about it here:
This way you can reuse them and store them outside your app. This way if you commit or export your app, it doesn’t contain sensitive data.
The file storage is in house on our server.
I'm using Retool on prem and this do not have a resource to mappup a local disk, I need to use our REST API
Will setting up a separate REST API resource with Authentication be more secure as the client Secret will not be showing?
Example:
