I am creating a rails app which will help out busin开发者_StackOverflow中文版esses. These businesses have thousands of employees who will need a user account on this app.
I would like the business to be able to implement a form on their local intranet which can be submitted by users when they want to sign up to my app. This form posts some semi-sensitive fields to my rails API about their currently logged in user, such as their name and email address which would be populated by their server side code.
I can use this information to aid in the process of signing the user up to my site, and in identifying which business they actually do belong to. However, the form information along with an API key will need encrypting to avoid any data being stolen or a business being spoofed.
What methods of encryption are there out there that can be implemented on a variety of different languages and frameworks, and that involve the least amount of fuss to implement for the business?
OPEN SSL with Public and Private key encryption does seem like a good choice, but this does require some exchanging and creating of keys and can get complicated. Are there easier options?
Why not just have them post to your site over TLS/SSL? They can include their API key. SSL is about as cross-platform and cross-language as you can get. Any decent server-side language can make an HTTP request, so if you want them to send the request from their backend instead of directly from the form, that is easy enough.
You should use SSL to secure the transport layer as well as built-in Rails form protection (assuming you might do your own forms). Assuming this is intranet, you can generate an SSL certificate and run your Rails app through https://
Edit1: You can also roll out a full API with OAuth/OpenID to authenticate users and authorize other applications. It all depends on if you own the data, users and ecosystem overall.
精彩评论