I am creating a Restful server using Codeigniter, that will be accessed via a PhoneGap mobile app. I am not sure how to properly secure the API.
I am using this REST library: https://github.com/chriskacerguis/codeigniter-restserver
This post was helpful, but I have questions: Security PHP RESTful API
I setup codeigniter to store sessions in a table. I have secured using SSL.
Is a Session ID the same thing as a Token?
Do I need to set anything manually in a Auth Header? If so whcih side? On the REST server or in Angular?
I should point out that there are two facets to the app. One part behind a login, and one not.
Assign a token(random-string) to each user account. User should request all web services with a token.
Validate token on behalf of each user and then expose data.
Related
I have a dating site.. so users need to sign up and sign in to chat we others.
My website is made in HTML and PHP and when a user is logged in, i use $_SESSION.
But my new site (v2), will use a JS FrameWork with calls to my api.
So my first question is about this API... Should i use $_SESSION in my API to find out which user is logged in?
And the second part of my question is.. After my webapp will be done, i will start the mobile app and i was wondering if i can use the SAME API Or it is better to use another api dedicated to the mobile app ?
By aPI i mean all file to interact with the user (entry point, routes, controllers, models... )
So one API for mobile app and my web app? or it is better to have an api for each app
Pascal
API's meant to be stateless and need to have JWT or other stateless token based mechanisms to perform authentication.
You can use token based authentication for both web and mobile apps.
For JWT authentication you can use one of the packages listed on: https://jwt.io/libraries?language=PHP
I have a Shopify store that uses a custom application for handling the checkout. So this custom application is hosted on another server and the functionalities are accessible via endpoints. The authentication to the Shopify store is handled by another SSO application.
So what happens is that the endpoints to the custom application are not completely secured. This is because since the user authentication is handled by another 3rd party application we don't have any control over it. So we are unable to retrieve the auth token whenever a user logs in.
This is restricting me from implementing a token-based authentication for the API endpoints. Is there any way to make the API's secure in this case? Any help is much appreciated.
FYI: The custom application is implemented using Laravel!
I have a web app hosted in Firebase in vue.js. The app access to the organization's main database via API to a back-end server developed in PHP (laravel) hosted in GAE.
I'd like to know if using Firebase Cloud Function on the client (js) to make calls to a back end API (PHP) would help me to protect data and be more efficient authenticating calls from the client to back end.
Currently:
Users login into the client using Firebase Auth and the client sends the resulting token to my back-end server on each API call. Then the back-end verifies the token received via HTTPS using FB Auth API and then if verified, the backend would return the request data via JSON back to the client-side via HTTPS response.
My 2 biggest concerns are:
1) would this approach scale well with more users.
2) for large extractions of data, i.e. 1000+ rows. I'd like to avoid to have JSON objects being "downloaded" on the client.
New Scenario:
The users would still log in on the client (vue.js) using FB Auth, but the Client would use FB Cloud Functions to make the calls to the Back-End API data hosted on GAE and then return the data as an array.
The advantages I hope to utilize are:
- The client will not have https traffic with data as this would be handled by FBCF and send to the client via socket (?).
- Save verification auth calls from the server, IF there is a way for FBCF to make calls to GAE without the need to pass the token (maybe using endpoints?)
Does this make sense or am I introducing a middle man unnecessarily?
This question already has answers here:
how to authenticate RESTful API in Laravel 5?
(2 answers)
Closed 6 years ago.
What is best way to secure API calls from AngularJS(Mobile application) / HTML pages to a Laravel PHP backend?
To be clear, I'm NOT talking about user login authentication.
I'm planning an API based application. I would like to read the JSON data from my API into an page using AngularJS, before any user is asked to sign up or log in.
I need to ensure that only my client front-end can access this data. Is there an existing system to send a token or utilise my secret key, to ensure that only my front-end can access my API? I would also like to be able to revoke access from a specific client or tenant.
What are security options for this set up? I'm thinking along the lines of JWT, CORS etc... This is my first attempt at such an application, so please forgive my ignorance! How to securely access API from Mobile application
You should use CORS and only allow the web application domain to request the API. Then any other request won't have access to the data.
Using a token won't be safe since anybody can access it from your application and use it outside.
Take a look at this package to manage CORS inside Laravel
This is application to application authorization. You could use a protocol such as OAuth2, however there's an interesting way of avoiding such a protocol.
If I were you, I'd go with client-side SSL certificate. The idea is that your client (mobile app) presents a certificate to the web server. Web server tries to verify the certificate. If it verifies it, it sends a parameter to PHP script that it verified you. If not, the parameter is empty or not sent.
Here's a link to a blog post that describes this process.
There are other ways to implement app to app authorization, by implementing secret keys, one time passwords etc. but no approach is as straight-forward and easy as client-side certificate.
I would like my PHP based page (directory.domain.com) to use my NodeJS server to authenticate (api.domain.com). I have implemented passportjs on the NodeJS server for authentication.
I would like to authenticate the user through the NodeJS server when submitting a login form on directory.domain.com and create a session whereby the user can make post, get, put calls to the api.
Is this something that is possible? Is it as simple as creating a ajax request to the api and then setting a token?
Yes it is possible. Maybe the best way of doing this is using JSON Web Token (JWT) for authenticating the user (or the PHP Session) with the NodeJS API. More Info on JWT here: jwt.io.
Under Libraries you also find multiple PHP and NodeJS Libraries to use.