[Interest] How to login to a website then call an API from the app

Jason H jhihn at gmx.com
Mon Apr 4 16:36:22 CEST 2016

> Subject: [Interest] How to login to a website then call an API from the app
> (Apologies for the confused question but I don't know enough about what I'm trying to ask to know what the question should be).
> We have a Qt4.8.2  app that opens a browser to our website so the user can login. This creates a cookie which we can then use to call the website API from our app after the browser is closed. Now we've moved to Qt5 this has stopped working because QNetworkAccessManager can't be tied to QWebEngine and it looks like we need to move to Qt 5.6 to use the QWebEngineCookieStore class. But it got me thinking - is this actually a good way of doing this or is there a "best practice" we can follow?
> You can probably tell that I don't have much experience of web development so this is probably a dumb question, but what's the best way of doing this? Dropping the browser and just using a login dialog then hashing the password (we don't want to store it locally) and logging in via an API call? Or should we be looking at something like OAuth?
> Thanks for any assistance.

I'm not familiar with the WebEngine stuff, but that seems correct. QWebEngineProfile::cookieStore() returns the cookie store singleton, so you should be good. 
Generally, you don't hash the password on the page, it should be sent plain-text over SSL. The reason why I say plaintext is because whatever is sent, hashed or not, is public. If you hash before sending, someone who views that page can look at your source and figure out to hash it. So hashed or not, it is the same level of security. I've used OAuth and custom login schemes, it does not matter. OAuth workflows allow users to use existing accounts, which may be beneficial for you, or they might not. I work in HIPAA-land, so we need to have password controls which means we can't use OAuth from existing sites.

More information about the Interest mailing list