Secure login to REST API over HTTP


I'm currently working on C# a project which integrates with the TeamCity REST API and it's all working ok except for sending passwords in plain text over HTTP during authentication. I've seen that the regular user login page actually encrypts or hashes the password which makes it safer over HTTP than sending the plain text password. Does anyone know if it's possible to do something similar when connecting to the REST API, and if so is there a C# implementation of the encryption / hashing algorithm somewhere? (Or alternatively, a description of what the technical details of the encryption / hashing algorithm are so that I can have a go at implementing it myself - I'll publish the result on a GitHub project if I get it working).

We've got a long-term plan to move to HTTPS which would obviously be a better solution, but in the meantime I'm stuck with HTTP and I'd like to avoid sending plain text passwords...



1 comment
Comment actions Permalink

Hi Michael,

Sorry for the delayed reply.

I am affraid that so far there is no "due" way to securely login via REST other then using HTTPS.
Transferring of the clear-text password can be minimized to once per session, though, see the comment.

As to login page algorythm, that is implemented in JavaScript and you can get that looking at the login page code. But so far that is not part of "open API"...

BTW, is your project a wrapper over REST API (like some others) or does it provide additional functionality?


Please sign in to leave a comment.