API Token Revocation

This post was inspired by this. If you have not yet read it, do it now, then come back. I'll wait.

If you run an oauth-enabled API and you must (for whatever reasons) use basic HTTP authentication, you should revoke user tokens when your API is accessed over plain HTTP.

If you don't control your entire stack, you may have trouble detecting such requests, but it is imperative that you make your best effort to work with the reverse-proxy admin to allow you to detect these issues.

Here is some pseudocode for a server to handle this:

if(!request.secure()){
    response.status(400);
    response.end('you just lost the game, and your api key');
    db.keys.delete({api_key:response.header.api_key});
}

Now, the solution to this is obvious; don't run your API over plain HTTP. If for whatever reason you cannot follow that one rule, this is the next best thing.