I want to protect my REST API by using an oauth2 authentication. I'm using bshaffer/oauth2-server-php in combination with zend 3.
I've the following config:
// autoload/oauth2.global.php
return [
'zf-oauth2' => [
'db' => [
'dsn' => sprintf(
'mysql:dbname=%s;host=%s',
false !== getenv('DB_NAME') ? getenv('DB_NAME') : '',
false !== getenv('DB_HOST') ? getenv('DB_HOST') : ''
),
'username' => false !== getenv('DB_USER') ? getenv('DB_USER') : '',
'password' => false !== getenv('DB_PASS') ? getenv('DB_PASS') : '',
],
'storage' => MyApp\OAuth2Module\Adapter\PdoAdapter::class,
'enforce_state' => true,
'allow_implicit' => true,
'access_lifetime' => 3600,
'api_problem_error_response' => false,
'options' => [
'use_jwt_access_tokens' => false,
'store_encrypted_token_string' => true,
'use_openid_connect' => false,
'id_lifetime' => 3600,
'www_realm' => 'Service',
'token_param_name' => 'access_token',
'token_bearer_header_name' => 'Bearer',
'require_exact_redirect_uri' => true,
'allow_public_clients' => true,
'allow_credentials_in_request_body' => true,
'always_issue_new_refresh_token' => false,
'refresh_token_lifetime' => 1209600,
],
],
];
And my auth route looks like this:
// autoload/router.global.php
return [
'router' => [
'routes' => [
'api' => [
'type' => Literal::class,
'options' => [
'route' => '/api',
],
'may_terminate' => false,
'child_routes' => [
'rest' => [
'type' => Literal::class,
'options' => [
'route' => '/rest',
],
'may_terminate' => false,
'child_routes' => [
'oauth' => [
'type' => Literal::class,
'options' => [
'route' => '/oauth',
'defaults' => [
'controller' => 'ZF\OAuth2\Controller\Auth',
'action' => 'token',
],
],
],
],
],
],
],
],
],
];
Everything works fine so far. I can post my client credentials to the oauth endpoint and get an access token.
But how can I protect the other endpoints? F.e. I make a GET request to /api/rest/myapp/GetList. The list of my entities should only be retrieved if the user also sends the authorization bearer with the request but I can't find a solution for this. Is it possible to set a parameter (something like "require_token") in the route config to "activate" this behavior? Or what is the correct way to protect my REST API?
There's no build-in system to make this. You will create a listener which's listens MvcEvent::Event_ROUTE and place it after router then check if there's a routematch. If there's one, check if it's protected route. If it's apply authentication logic.
Related
I need to override a view file like ‘pathMap’ => [ ‘#dektrium/user/views’ => ‘#app/views/site’] I followed manual (https://github.com/dektrium/yii2-user/blob/master/docs/overriding-views.md) but all I see is the old view whatever I do. Perhaps something wrong with baseUrl or basePath but I’m not sure what I should do.
frontend/config/main.php:
'components' => [
'request' => [
'csrfParam' => '_csrf-frontend',
'baseUrl' => '/',
],
// .................
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
'/' => 'site/index',
'<action:\w+>' => 'site/<action>',
],
],
'view' => [
'class' => 'yii\web\View',
'theme' => [
//'basePath' => '#app/themes/basic',
//'baseUrl' => '#app/views/site',
'pathMap' => [
'#dektrium/user/views' => '#app/views/site'
]
]
]
//.................
]
common/config/main.php:
'modules' => [
'user' => [
'class' => 'dektrium\user\Module',
'admins' => ['admin'],
'modelMap' => [
'User' => 'common\models\User',
],
]
I open page on the address like mydomain.test/user/register (in case it’s somehow matter)
I also tried to put ‘view’ part in components of common/config/main.php and of module. Tried to create themes folder and put new view therein, nothing seems work
ok, I finally fixed it
'view' => [
'class' => 'yii\web\View',
'theme' => [
'basePath' => '#frontend/views/site',
'baseUrl' => '#frontend/views/site',
'pathMap' => [
'#dektrium/user/views/registration' => '#frontend/views/site',
]
]
]
This is how I defined route for my api. It is prefixed with /api/v1. But now few new modules are added in api v2 and all v1 apis are remains same and available in v2. How can i modify this routes that will serve all routes belongs to /api/v1 and when /api/v1 is called and it should serve both /api/v2 and /api/v1 when /api/v2 is called?
module.config.php
'product' => array(
'type' => 'Zend\Router\Http\Segment',
'options' => array(
'route' => '/api/v1/categories[/:id]',
'defaults' => array(
'controller' => CategoryController::class,
),
),
),
'products' => array(
'type' => 'Zend\Router\Http\Segment',
'options' => array(
'route' => '/api/v1/products[/:id]',
'defaults' => array(
'controller' => ProductsController::class,
),
),
),
// ... at lots of v1 apis
//these are introduced in v2
'trends' => array(
'type' => 'Zend\Router\Http\Segment',
'options' => array(
'route' => '/api/v2/trends[/:id]',
'defaults' => array(
'controller' => TrendsController::class,
),
),
),
You can move those common v1 and v2 to a single parent route and v2-only ones to another. Below is sample (not tested) code that should help you understand the idea.
return [
// in Config.router.routes
'api' => [
'child_routes' => [
'v1' => [
'child_routes' => [
// your API 1-and-2 routes
'product' => [/* … */],
'products' => [/* … */]
],
'may_terminate' => false,
'options' => [
'constraints' => ['version' => 'v1|v2'],
'route' => '/:version'
],
'type' => Segment::class
],
'v2' => [
'child_routes' => [
// your API 2 routes
'trends' => [/* … */]
],
'may_terminate' => false,
'options' => ['route' => '/v2'],
'type' => Literal::class
]
],
'may_terminate' => false,
'options' => ['route' => '/api'],
'type' => Literal::class
]
];
If you prefer to not use child routes, you can simply add a route parameter/constraint instead of /v1:
return [
'product' => [
'options' => [
'constraints' => [
'id' => '…',
'version' => 'v1|v2'
],
'defaults' => ['controller' => CategoryController::class],
'route' => '/api/:version/categories[/:id]'
],
'type' => Segment::class
]
];
I know this is late, but I just found this question.
Whilst #gsc's answer is somewhat ok, this is not the correct answer.
This is the correct answer, and this is how I use it:
'api' => [
/** Our main route is /api **/
'may_terminate' => true,
'options' => ['route' => '/api'],
'type' => Literal::class,
'child_routes' => [
/** Since our main route is /api, this will become /api/v1/YOUR_ACTIONS **/
'v1' => [
'type' => Segment::class,
'options' => [
'route' => '/v1[/:action]',
'constraints' => [
'action' => '[a-zA-Z][a-zA-Z0-9_-]*',
],
'defaults' => [
'controller' => Controller\ApiV1Controller::class,
'action' => 'index',
],
],
],
/** Since our main route is /api, this will become /api/v2/YOUR_ACTIONS **/
'v2' => [
'type' => Segment::class,
'options' => [
'route' => '/v2[/:action]',
'constraints' => [
'action' => '[a-zA-Z][a-zA-Z0-9_-]*',
],
'defaults' => [
'controller' => Controller\ApiV2Controller::class,
'action' => 'index',
],
],
],
/** Add as many "versions" as you want, all with different controllers. **/
],
],
This allows you to use different "versions" of your controller and is shorter, better understandable and complies to standards.
Enjoy!
I've got a basic Yii2 project, in which i created a separate module "rest". I have set up urlManager in config/web.php file. It works fine for common url, but it seems to me it is not working with url starting with my module name: rest/.. I have actionAuth() in AuthController in my rest module, and it is accessible with this url: test.ru/auth/auth. But i want it to be accessible with this url:test.ru/auth. I tried to write like this in web.php :
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest\auth',
'extraPatterns' => [
'POST /' => 'auth',
],
'pluralize' => false,
],
],
],
But it does not work(not found error in browser).
I also tried like this:
'rules' => [
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest\auth',
'extraPatterns' => [
'POST rest/auth' => 'auth',
],
'pluralize' => false,
],
],
],
It seems to me that urlManager does not want to work for module. Next i tried to write the same code in my Module.php in rest/ directory. But it produced many errors. I think because of the same error things like that dont work too:`
'class' => 'yii\rest\UrlRule',
'controller' => 'rest\city',
'extraPatterns' => [
'DELETE {id}' => 'delete',
],
`
So my question is: how to set up urlManager for module in Yii2? I need to configure HTTP DELETE method, post methods work without any settings in urlManager.
The whole web.php file:
<?php
$params = require(__DIR__ . '/params.php');
$config = [
'id' => 'basic',
'basePath' => dirname(__DIR__),
'bootstrap' => ['log'],
'language' => 'ru',
'components' => [
'authManager' => [
'class' => 'yii\rbac\DbManager',
],
'request' => [
// !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => 'xxxxxxx',
'parsers' => [
'application/json' => 'yii\web\JsonParser',
]
],
'cache' => [
'class' => 'yii\caching\FileCache',
],
'user' => [
'identityClass' => 'app\models\User',
// 'loginUrl' => ['site/login'],
],
'errorHandler' => [
'errorAction' => 'site/error',
],
'mailer' => [
'class' => 'yii\swiftmailer\Mailer',
// send all mails to a file by default. You have to set
// 'useFileTransport' to false and configure a transport
// for the mailer to send real emails.
'useFileTransport' => true,
],
'log' => [
'traceLevel' => YII_DEBUG ? 3 : 0,
'targets' => [
[
'class' => 'yii\log\FileTarget',
'levels' => ['error', 'warning'],
],
],
],
'db' => require(__DIR__ . '/db.php'),
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest\user',
'except' => ['delete', 'create', 'update', 'index'],
'extraPatterns' => [
'GET all' => 'all',
]
],
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest\auth',
'extraPatterns' => [
'POST reg' => 'reg',
'POST auth' => 'auth',
'POST rest/auth' => 'auth',
],
'pluralize' => false,
],
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest\city',
'extraPatterns' => [
'DELETE {id}' => 'delete',
],
],
],
],
'i18n' => [
'translations' => [
'*' => [
'class' => 'yii\i18n\PhpMessageSource',
// 'basePath' => '#app/messages', // if advanced application, set #frontend/messages
'sourceLanguage' => 'en',
'fileMap' => [
//'main' => 'main.php',
],
],
],
],
],
'modules' => [
'admin' => [
'class' => 'app\modules\admin\Module',
],
'manager' => [
'class' => 'app\modules\manager\Module',
],
'rest' => [
'class' => 'app\modules\rest\Module',
],
'rbac' => [
'class' => 'mdm\admin\Module',
'controllerMap' => [
'assignment' => [
'class' => 'mdm\admin\controllers\AssignmentController',
/* 'userClassName' => 'app\models\User', */
'idField' => 'id',
'usernameField' => 'username',
],
],
'layout' => 'left-menu',
'mainLayout' => '#app/views/layouts/admin.php',
]
],
'aliases' => [
//'#mdm/admin' => 'app/mdm/admin',
],
'params' => $params,
];
if (YII_ENV_DEV) {
// configuration adjustments for 'dev' environment
$config['bootstrap'][] = 'debug';
$config['modules']['debug'] = [
'class' => 'yii\debug\Module',
// uncomment the following to add your IP if you are not connecting from localhost.
//'allowedIPs' => ['127.0.0.1', '::1'],
];
$config['bootstrap'][] = 'gii';
$config['modules']['gii'] = [
'class' => 'yii\gii\Module',
// uncomment the following to add your IP if you are not connecting from localhost.
//'allowedIPs' => ['127.0.0.1', '::1'],
];
}
return $config;
My Module.php code(commented code shows my attempt to write urlManager):
<?php
namespace app\modules\rest;
/**
* rest module definition class
*/
class Module extends \yii\base\Module
{
/**
* #inheritdoc
*/
public $controllerNamespace = 'app\modules\rest\controllers';
/**
* #inheritdoc
*/
public function init()
{
parent::init();
// custom initialization code goes here
\Yii::$app->user->enableSession = false;
$config = [
'components' => [
'basePath' => dirname(__DIR__),
// 'user' => [
// 'identityClass' => 'app\models\User',
// 'class' => 'app\models\User',
// 'enableSession' => false
// ],
// 'urlManager' => [
// 'enablePrettyUrl' => true,
// 'enableStrictParsing' => true,
// 'showScriptName' => false,
// 'rules' => [
// [
// 'class' => 'yii\rest\UrlRule',
// 'controller' => 'rest\city',
// 'extraPatterns' => [
// 'DELETE {id}' => 'delete',
// ],
// ],
// ],
// ],
'response' => [
'format' => \yii\web\Response::FORMAT_JSON,
'charset' => 'UTF-8',
'class' => 'yii\web\Response',
'on beforeSend' => function ($event) {
$response = $event->sender;
if(( $response->statusCode >= 200) && ( $response->statusCode < 300)) {
if(isset($response->data['_appErr'])) {
unset($response->data['_appErr']);
$response->data = [
'success' => false,
'error' => $response->data,
'data' => null,
];
} else {
$response->data = [
'success' => $response->isSuccessful,
'error' => null,
'data' => $response->data,
];
}
} else {
if($response->statusCode == 401) {
$response->data = [
'success' => false,
'error' => [
'code' => 9,
'message' => 'Unauthorized',
'user_msg' => 'You need to be authorized',
],
'data' => null,
];
}
// else {
// $response->data = [
// 'success' => false,
// 'error' => [
// 'code' => 1,
// 'message' => 'server has returned '.$response->statusCode.' error',
// ],
// 'data' => null,
// ];
// }
}
},
],
],
];
\Yii::configure(\Yii::$app, $config);
}
}
Try this:
namespace yii\rest;
class UrlRule extends Object implements UrlRuleInterface {
public function parseRequest($manager, $request) {
list($e1, $e2) = sscanf($request->getPathInfo(), '%[a-zA-Z]/%[a-zA-Z]');
if ($e1 === 'auth' && $e2 === '') {
return ['/auth/auth', $request->queryParams];
}
return false;
}
}
Use forward slash(/) while defining the controller value in the rules array.
This will work:
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest/user',
'except' => ['delete', 'create', 'update', 'index'],
'extraPatterns' => [
'GET all' => 'all',
]
],
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest/auth',
'extraPatterns' => [
'POST reg' => 'reg',
'POST auth' => 'auth',
],
'pluralize' => false,
],
[
'class' => 'yii\rest\UrlRule',
'controller' => 'rest/city',
'extraPatterns' => [
'DELETE {id}' => 'delete',
],
],
]
Check out the documentation here: http://www.yiiframework.com/doc-2.0/guide-rest-versioning.html
In ZF3 I want to get default parameter from route. I'm getting parameters in this way in controller:
$params = $this->params()->fromRoute('crud');
My urls looks like this:
1: somedomain/admin/color/add
2: somedomain/admin/color
In 1) I'm getting add in my $params variable.
In 2) I'm getting null but I'm expecting default (in this case view)
I think this is problem with bad router configuration.
'admin' => [
'type' => Segment::class,
'options' => [
'route' => '/admin/:action',
'defaults' => [
'controller' => Controller\AdminController::class,
'action' => 'index',
],
],
'may_terminate' => true,
'child_routes' => [
'color' => [
'type' => Segment::class,
'options' => [
'route' => '/:crud',
'constraints' => [
'crud' => 'add|edit|delete|view',
],
'defaults' => [
'controller' => Controller\AdminController::class,
'crud' => 'view',
],
],
],
],
],
In your route definition, you didn't says the router that your crud parameter is optionnal. So when you call somedomain/admin/color, it is the route /admin/:action which is selected.
To specify a optional parameter, use the bracket notation (assuming you use the same action):
'admin' => [
'type' => Segment::class,
'options' => [
'route' => '/admin/:action[/:crud]',
'defaults' => [
'controller' => Controller\AdminController::class,
'action' => 'index',
'crud' => 'view',
],
'constraints' => [
'crud' => 'add|edit|delete|view',
],
],
],
I am currently trying to install a Yii2 extension for implementing an OAuth2 server (https://github.com/Filsh/yii2-oauth2-server). However, I keep running on the error below:
Does anyone have an idea on how to install this extension. I followed the instructions given but there was no mention about that error.
Satya is right. You need to configure oauth2 module as described on repo's description:
'oauth2' => [
'class' => 'filsh\yii2\oauth2server\Module',
'options' => [
'token_param_name' => 'accessToken',
'access_lifetime' => 3600 * 24
],
'storageMap' => [
'user_credentials' => 'common\models\User'
],
'grantTypes' => [
'client_credentials' => [
'class' => 'OAuth2\GrantType\ClientCredentials',
'allow_public_clients' => false
],
'user_credentials' => [
'class' => 'OAuth2\GrantType\UserCredentials'
],
'refresh_token' => [
'class' => 'OAuth2\GrantType\RefreshToken',
'always_issue_new_refresh_token' => true
]
],
]
I've configured this extension successfully and created Yii2 Rest API template with OAuth2 server https://github.com/ikaras/yii2-oauth2-rest-template - feel free to use. Also this code has some demo data (examples of using) and support of scopes for controllers.
Add give 'oauth2' configuration in 'modules' section of config/main.php.
It may work
Use this configuration under your confin/main.php file under modules section.
'oauth2' => [
'class' => 'filsh\yii2\oauth2server\Module',
'tokenParamName' => 'token',
'tokenAccessLifetime' => '100800', // Expiry Time
'storageMap' => [
'user_credentials' => 'common\models\User', // This Should be your model name
],
'grantTypes' => [
'client_credentials' => [
'class' => 'OAuth2\GrantType\ClientCredentials',
'allow_public_clients' => false,
],
'user_credentials' => [
'class' => 'OAuth2\GrantType\UserCredentials',
],
'refresh_token' => [
'class' => 'OAuth2\GrantType\RefreshToken',
'always_issue_new_refresh_token' => true,
'refresh_token_lifetime' => '100800',
],
],
];
Found solution my-self on scope issue, maybe it will be useful for someone - marked with ** in config:
'modules' => [
'oauth2' => [
'class' => 'filsh\yii2\oauth2server\Module',
'tokenParamName' => 'accessToken',
'tokenAccessLifetime' => 3600 * 24,
'storageMap' => [
'client_credentials' => 'app\models\User',
'user_credentials' => 'app\models\User',
**'scope' => 'app\models\User',**
],
'grantTypes' => [
'client_credentials' => [
'class' => '\OAuth2\GrantType\ClientCredentials',
'allow_public_clients' => false,
'always_issue_new_refresh_token' => true
],
'user_credentials' => [
'class' => 'OAuth2\GrantType\UserCredentials',
],
'refresh_token' => [
'class' => 'OAuth2\GrantType\RefreshToken',
'always_issue_new_refresh_token' => true
]
]
]
],