Obtain web service token

In Moodle Mobile apps or other web service clients, we need a secure method to transmit token.

• The easiest way would be using https for token request script, user enter username and password, send them to HTTPS protected script to obtain the token, the disadvantage of this method is the limit of HTTP server, for some shared hosts, HTTPS is not available.
• I looked OAuth, it's getting popular, and secure. But it has a few disadvantage:

1. Moodle for iPhone will support multi Moodle instances, so we have to save api and secret for each website, it's very annoying for mobile users to type such long keys
2. The major problem is OAuth will need two keys: access key and access secret during transmission, then generate a signature using a few factors, the signature will embedded in http header, moodle will need to verify this signature. It looks like another security layer besides web service subsystem, if we only use it for obtaining web service token, I am not sure if worth to use it, we will have to implement OAuth server, and a few scripts to handle access keys exchange, and database tables including oauth_log, oauth_consumer (store consumer key and secret), consumer_token, access token(store access key) we need at least three new tables, probably another two to store nonce and activity logs.

• RSA algorithm can be alternative method of HTTPS, before we add a website in moodle app, we request the public key from the website, encrypt the username, password and user secret by public key, then send them to server, moodle will decrypt it by private key, if success, encrypt the key by the user secret (use 3DES or AES), 1024-2048 bits public key is considered to be safe, but it could be slow for mobile device because of the long key. ECC algorithm use shorter key and strong, but it's more difficult to implement.

My proposal would be the combination of HTTPS and RSA.

It's related to http://tracker.moodle.org/browse/MOBILE-14

--Dongsheng Cai 11:08, 20 April 2011 (WST)

Upload and download files from moodle

We already implemented "upload" web service, which only allow users to upload files to user private, the problem is we need to use base64 encoding binary file so it can fit into xml payload, it theoretically works, but in the real world, if we pick a file from iphone photo library, it's usually around 1.2Mb, encoding will enlarge the file by 33%, not too bad, but encoding the picture will take more than a minute, it's very bad user experience.

For better performance, we'd better use POST and GET the upload and download files, then we need to setup session, what we need to do:

1. Assume user already got token, then user send token and file to a special script in Moodle, for example http://yourmoodle.com/files/ws_upload.php Moodle verify the token, if true, setup session, check permission, then allow uploading
2. If users intend to download a moodle file served by pluginfile.php, first users request a special script with token, if token is valid, grant the session, then users will be able to access the files served by pluginfile.php, we need to http request in this case, if we can verify the token in pluginfile.php to reduce the http traffic, I'm not sure if it's acceptable.

It's related to http://tracker.moodle.org/browse/MOBILE-19

--Dongsheng Cai 11:08, 20 April 2011 (WST)