I have a restful api written in Go. I want to authenticate each request. To do so, the server and the client share a secret.
To authenticate a GET request to /foo/bar/, the client add a nonce parameter with a timestamp to the url, /foo/bar/?nonce=13899932199128265, and then add the hmac of data with the secret to the url. It gives something like /foo/bar/?nonce=13899932199128265&hmac=hd7nd7s9s702j
To verify the validity of an incoming request, the server verify that no requests from the client arrived after the time stamp and that the hmac is valide.
I believe it is a common way to authenticate requests. For instance, mtgox uses a similar process.
The problem that I have is that my client will likely require a list of urls [url1, ... urln] at the same time. In that case, nothing guarantee that the first request sent by the client will arrived first to the server. Indeed, any permutation of the requests will result in 403 errors.
My first question is simple: is that a real problem? Is it likely that request order will change during transport?
Second, is it entirely to the client to verify no 403 errors happen?
Is there better way to do?
Thanks a lot!