I am writing mobile client for online store. I have written REST API for accessing data on the server. Now I need to authentificate the user.
I have read a lot about this,and came to the simple solution.
Firstly, when user run application first time, he must enter exactly password and login from online store account. In this case password somehow sent to the server and being checked, after that user gets response.
If everything is OK user receives access toke that can be used in the future to access private data. If not, get simple forbid message.
I have some questions here :
What the best way to send password and login for the first time, to get access token. Encrypt password with some algorithm and than send it over simple HTTP or establish HTTPS session and simply use this channel to transfer data over the net. In this case password don't have to be encrypted, use public/private keys provided by HTTPS ?
Is it okey to send this request as POST method over HTTPS, for example using next URL /api/v0/store/auth ? Or it is better to do this another way.
In all cases where HTTPS is used I need self-signed certificate ?
I would be grateful for any help. Thanks in advance.