How can my Rail3 app authenticate a request from my iPhone app?

I'd like to add a tournament mode to my iPhone game and have a Rails 3 app track the tournament stats. Basically, every time a match ends, the winner will be reported to my Rails 3 app using a post request like...

POST http://myrail3app.com/tourney/matchresults?winner=username

Obviously anyone could monitor the URL of the request being made and then make the same requests on their computer over and over again and c开发者_开发问答heat. So I'd like some way to authenticate the request on the Rails 3 app that ensures the request is coming from my iPhone app only. Your thoughts?

Thanks so much for your wisdom!

---

Using the UDID as mentioned by Jason doesn't necessarily stop someone from reposting that in a desktop browser several times.

You have a few options, depending on how complex you want to get:

a) Public key encryption between your app and the rails server

• Read (iphone): http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW9

• And (rails): http://stuff-things.net/2007/06/11/encrypting-sensitive-data-with-ruby-on-rails/

b) You can use a signature generation service, similar to how Facebook and Amazon handle singatures in their request.

• You provide a secret key to the app (most likely in your objective c code somewhere), and generate a HMAC signature based on all your parameters you are sending the app with your secret key (see http://www.ouah.org/ogay/hmac/). You then use the parameters sent across to generate another signature on the rails side, and compare the signature sent (eg in rails: OpenSSL::HMAC.hexdigest('sha256', message, key)). If the 2 signatures are different, you know someone has tampered with the parameters.

• See Facebook (http://developers.facebook.com/docs/authentication/signed_request/) and Amazon (http://docs.amazonwebservices.com/AWSSimpleQueueService/2007-05-01/SQSDeveloperGuide/SummaryOfAuthentication.html) for an example on how to do this.

c) Depending on whether you want to share other data between your apps and your rails server, you can implement an Oauth provider on the rails side.

• Read (rails): http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider
• And (iphone): http://davidquail.com/2009/12/07/oauth-authorization-callback-on-the-iphone-with-webview/

---

you can just make the site only respond to a select list of iphone id's

NSString *deviceUDID = [myDevice uniqueIdentifier];