I've done something where on authentication, I create a secret that is passed only a single time that both client and server share then a GUID is created and passed around as the "public key". Each request, wherever it originates, client or server, the client or the server signs the request using the private and public "keys" (secret and guid), passes the guid in the request and then the receiving end checks the hash. This is a pretty common approach for oauth and amazon etc. Authorization can be passed around as long as it is part of the signature but I recommend just keep a lookup on the server for that as you don't need to broadcast more info than necessary. I use node so I get to use crypto on both sides. This is pretty secure because the signature is also signed with a timestamp and passed around plain as well so you both check how old the request is directly before having to check the signature, then only check the signature if its not too old to verify it matches. You could also store on the server the last timestamp of the request for that user and have a rule that it can't repeat.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I've done something where on authentication, I create a secret that is passed only a single time that both client and server share then a GUID is created and passed around as the "public key". Each request, wherever it originates, client or server, the client or the server signs the request using the private and public "keys" (secret and guid), passes the guid in the request and then the receiving end checks the hash. This is a pretty common approach for oauth and amazon etc. Authorization can be passed around as long as it is part of the signature but I recommend just keep a lookup on the server for that as you don't need to broadcast more info than necessary. I use node so I get to use crypto on both sides. This is pretty secure because the signature is also signed with a timestamp and passed around plain as well so you both check how old the request is directly before having to check the signature, then only check the signature if its not too old to verify it matches. You could also store on the server the last timestamp of the request for that user and have a rule that it can't repeat.