first post on sec so go easy.
I'm developing a REST application using the Spring Framework, as as part of the requirements, we have to secure the different functions of the system to different user roles (pretty standard stuff). My current method of determining the roles for the currently logged in user is that every time they call a REST url from the frontend, I am adding a Base 64 encoded string to the request header. This string when decoded resolves to their username and a bCrypt generated password hash in this format username:hashedpassword.
I'm slightly concerned that this is not secure, even though the request will be made over a secure HTTP connection, because it could give a potential hacker access to at least the users username. They couldn't get the password because that is just a hashed value, but they could use that hashed value to call the REST API successfully.
How can I secure this system properly? Do I need to add in a session token or some kind of randomly generated key for the session?
My followup question is then how can I do that RESTfully? I was thinking that I could generate (using bCrypt) a hash that represented the username:hashedpassword together on login, save that to the database and check against that whenever a REST call is made. When the user logs out, just set that to null. Rinse and Repeat. That way any potential attacker would only get a single bCrypt string that wouldn't expose the username, but they could still use that string to call the REST API.
Any thoughts are welcome, just trying to sort through if what I have is secure enough for our purposes.