I have a dating site.. so users need to sign up and sign in to chat we others.
My website is made in HTML and PHP and when a user is logged in, i use $_SESSION.
But my new site (v2), will use a JS FrameWork with calls to my api.
So my first question is about this API... Should i use $_SESSION in my API to find out which user is logged in?
And the second part of my question is.. After my webapp will be done, i will start the mobile app and i was wondering if i can use the SAME API Or it is better to use another api dedicated to the mobile app ?
By aPI i mean all file to interact with the user (entry point, routes, controllers, models... )
So one API for mobile app and my web app? or it is better to have an api for each app
Pascal
API's meant to be stateless and need to have JWT or other stateless token based mechanisms to perform authentication.
You can use token based authentication for both web and mobile apps.
For JWT authentication you can use one of the packages listed on: https://jwt.io/libraries?language=PHP
Related
I've developed a website with the usual crud functionalities in Codeigniter and MySQL. I'm now tasked with creating a mobile app (with the same functionalities ) in Ionic 2.
To access my database with Ionic, I created a REST api -- which I was able to manipulate smoothly.
My questions are:
How, or can I, use my MySQL users' credentials to log in on my Ionic 2 app?
How can my web and mobile can share the same database?
I've been reading a lot about Fire base,etc. However, my tiny brain is unable to comprehend whatever I read. If anyone can point me to right direction, I would highly appreciate it. Thanks!
When developing an Ionic App you have to think of it as if you were developing a regular website. The only difference is that you have access to native device features with cordova plugins, but the whole flow is almost exactly like in a regular website (it is an angular application after all).
This means you can use your API just like you use it in your website. There is no need to use firebase. (Firebase is kind of like a database itself that you could use INSTEAD of your MySQL backend)
Totally agree with #Andreas. When you build a modern application that supports on the different platforms such as web or mobile, you need to design a standard API and then next step is to build a web application/mobile app to consume this API. And because of all the web/devices are all consuming from the same API, they are interacted with the same database. Unless they are using different API.
Can refer to the image below for easy understanding.
So talk about how authentication and authorization can be done from the mobile app or from the web app. You should take a look at OAuth2. It is a protocol for securing API services from untrusted devices, and it provides a nice way to authenticate mobile users via what is called token authentication.
The workflow will look like below, on both web and mobile app.
A user opens up your mobile app and is prompted for their username or email and password.
You send a POST request from your mobile app to your API service with the user’s username or email and password data included (OVER SSL for sure. If you don't know about it, google it).
You validate the user credentials, and create an access token for the user that expires after a certain amount of time.
You store this access token on the mobile device, treating it like an API key which lets you access your API service.
Once the access token expires and no longer works, you re-prompt the user for their username or email and password.
Reference
REST API from PHP
The ultimate guide for Mobile Security
I'm working on a project where I'm developing a platform. As a solo-developer I made the decision to use Lumen as a PHP back-end and create an RESTful API.
Web shops should be able to install a plugin so they can access the API without having to code themselves.
I need to keep track of the web shops that use the API. I just need the same way to retrieve access tokens like Twitter and Facebook do when you register an app.
So I was thinking about OAuth2 Server but I have never used it before so I'm not sure if I'm on the right path...
If you want your own OAuth2 system then yes you will need a server running it.
The idea of OAuth2 is to authenticate your clients where a shop equals one client.
OAuth2 is not about individual users but clients. With that idea in mind you can setup an OAuth2 server and its only job would be to authenticate each request, make sure it belongs to a recognized client and then issue a token.
With that token you can then go on and issue more requests to actually interact with the system you are building. This is a very high level view of the entire system, of course.
There can be multiple variations on this, how tokens are issued, what type they
are etc. I prefer JWT ( JSON Web Tokens ) as it's JSON and thus lightweight.
A quick search revealed this: http://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/
I do have my own article on building your own OAuth2 system, however it is based on dot net not PHP. You are welcome to use it though maybe it will help clarify the concept.
Here's the link : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/
I've worked on several websites few years ago and I want to be up-to-date with "the new web" so I'm working on a website using Laravel and Lumen to practice.
I have an architecture like that:
An API using Lumen (with databases: users data, user preferences, …)
A website (without database, this part just ask to the API some data and allow the user to be connected to his account)
Currently everything in my API is public: retrieving users, deleting accounts, searching users, etc.
The problem is that I don't know how to allow situations like that:
Allow my website to execute actions calling the API (call private routes on my API)
I would like to have some routes public on my API (the easiest part, it's done actually)
I would like to allow external users to call my API if they have a valid token (Google analytics, Bugsnag like services)
I'm thinking about services like Google analytics, Bugsnag, …: this services ask the user to put a token/key in Javascript. Is it a problem if someone take the token and use it on his personal website and/or in a mobile application?
I've read about o-auth 2, is it the place to start?
Thanks!
I suggest you to try for:
Allow my website to execute actions calling the API (call private routes on my API)
JWT Authentification (JSON Web Tokens).
How do JSON Web Tokens work?
In authentication, when the user successfully logs in using his credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie. Read more about jwt
Use this JWT-AUTH for connection jwt mechanism with lumen/laravel.
I would like to allow external users to call my API if they have a
valid token (Google analytics, Bugsnag like services)
For that task I suggest you to use OAuth 2.0 protocol
I am creating a Restful server using Codeigniter, that will be accessed via a PhoneGap mobile app. I am not sure how to properly secure the API.
I am using this REST library: https://github.com/chriskacerguis/codeigniter-restserver
This post was helpful, but I have questions: Security PHP RESTful API
I setup codeigniter to store sessions in a table. I have secured using SSL.
Is a Session ID the same thing as a Token?
Do I need to set anything manually in a Auth Header? If so whcih side? On the REST server or in Angular?
I should point out that there are two facets to the app. One part behind a login, and one not.
Assign a token(random-string) to each user account. User should request all web services with a token.
Validate token on behalf of each user and then expose data.
I am developing rest apis in symfony application.
Right now my apis are used by my application only on frontend (ajax requests by Angularjs). In future I would like to expose same APIs to third party applications as well.
Also I will be having have Android, IPhone apps etc in future.
I have integrated FOSOAuthServerBundle, and have tried all grant type workflows. Its all working. But I am confused about can these be used by my application or are they for only 3rd party applications who like to integrate with my application ?
I understand how these workflow can be used by 3rd party apps. But really can't understand how can I authenticate my native application users ?
I want to know how to use this bundle to authenticate users on my website through rest apis from my frontend app ?
Currently I am usnig FOSUserBundle and form_long to authenticate user but I am changing frontend to use Angularjs and rest based. So ideally authentication should just work like form_login authentication but it should be rest based.
I did research on it and people suggest to use "Resource Owner Password Credentials" But it needs client secret to be exposed in javascript which may not be secure
It should work e.g. user submits username/password credentials like it works in case of form_login but instead of redirecting it should just return access_token.
Do I need to write my custome authentication provider which uses UsernamePasswordToken and firewall listener like OAuthListener which returns access_token ? Would that be secure to use?
The similiar question with some discussion here:
Symfony2 FOSOAuthServerBundle grant type password requires client secret
If you don't want to expose secret, use a proxy beetween your front-end angular code and actual OAuth server. Anyway, if you expose secret it still needs user credentials.
You can set allowed grant types to each OAuth client, so in case you create mobile apps, you'll want to generate a separate pair of client_id & client_secret for the app and for the front-end, with the only allowed grant type of "password" for the front-end app.