I would like my PHP based page (directory.domain.com) to use my NodeJS server to authenticate (api.domain.com). I have implemented passportjs on the NodeJS server for authentication.
I would like to authenticate the user through the NodeJS server when submitting a login form on directory.domain.com and create a session whereby the user can make post, get, put calls to the api.
Is this something that is possible? Is it as simple as creating a ajax request to the api and then setting a token?
Yes it is possible. Maybe the best way of doing this is using JSON Web Token (JWT) for authenticating the user (or the PHP Session) with the NodeJS API. More Info on JWT here: jwt.io.
Under Libraries you also find multiple PHP and NodeJS Libraries to use.
Related
I am having a PHP based application, that uses MySQL as the DB. I am currently trying to build a real-time messaging system for the users in the application. I have found Firebase to be a very good solution for building this. However, I am not sure if the architecture I am planning is compatible with the architecture am planning. Digging through the documentation didn't really get me the answers.
My Doubts are:
I don't want users to again login to use chat, so I want to
authenticated via the server (i.e from php).
I want, the further chat/messaging to happen from client to Firebase directly as I don't want to have unwanted overhead on my server, especially when a direct connection is not only supported but also efficient.
Can I authenticate via php and get some secret key or something and then use that to connect securely via Js?
I found this link which talks about custom authentication system. But am not sure, if this is what I have to use. And if the solution am planning is scalable and ok.
Firebase Auth persists the session on the client via localStorage/indexedDB and is a headless API that doesn't require a hosted server. So you are not required to authenticate the user via your server.
You can definitely build the messaging app entirely on the client with real-time database without routing traffic to your server. Here is an example of a chat app built with Firebase: https://github.com/firebase/friendlychat
If you already have an existing authentication system, you can use custom auth which requires that you mint a custom token after you authenticate a user with your system, you then send that custom token to the client and then signInWithCustomToken. Here is some code to create a custom token with PHP: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
If you don't have an existing auth system, you can entirely run the authentication on the client side. Another good library for authentication that is built on top of Firebase is FirebaseUI: https://github.com/firebase/firebaseui-web
This question already has answers here:
how to authenticate RESTful API in Laravel 5?
(2 answers)
Closed 6 years ago.
What is best way to secure API calls from AngularJS(Mobile application) / HTML pages to a Laravel PHP backend?
To be clear, I'm NOT talking about user login authentication.
I'm planning an API based application. I would like to read the JSON data from my API into an page using AngularJS, before any user is asked to sign up or log in.
I need to ensure that only my client front-end can access this data. Is there an existing system to send a token or utilise my secret key, to ensure that only my front-end can access my API? I would also like to be able to revoke access from a specific client or tenant.
What are security options for this set up? I'm thinking along the lines of JWT, CORS etc... This is my first attempt at such an application, so please forgive my ignorance! How to securely access API from Mobile application
You should use CORS and only allow the web application domain to request the API. Then any other request won't have access to the data.
Using a token won't be safe since anybody can access it from your application and use it outside.
Take a look at this package to manage CORS inside Laravel
This is application to application authorization. You could use a protocol such as OAuth2, however there's an interesting way of avoiding such a protocol.
If I were you, I'd go with client-side SSL certificate. The idea is that your client (mobile app) presents a certificate to the web server. Web server tries to verify the certificate. If it verifies it, it sends a parameter to PHP script that it verified you. If not, the parameter is empty or not sent.
Here's a link to a blog post that describes this process.
There are other ways to implement app to app authorization, by implementing secret keys, one time passwords etc. but no approach is as straight-forward and easy as client-side certificate.
I made an API for PHP which provides data to the Windows 10 UWP app to load data from MySQL. I would like to make sure that only the app has access to that data and people can't just check it out from a browser. Do you guys have any idea how to do it? Can I send a unique id from my app and check if it is real on the back end of the PHP server?
If you do not want to authenticate your users. You could pass the Appid in the header.
string appId = CurrentApp.AppId.ToString();
and only allow gets and posts with information included to use your api. It might be better to use an authentication service like an oath provider. This would be a much more secure way to go. Someone could easily spoof your app if you are not using https to communicate with your backend.
I am creating a Restful server using Codeigniter, that will be accessed via a PhoneGap mobile app. I am not sure how to properly secure the API.
I am using this REST library: https://github.com/chriskacerguis/codeigniter-restserver
This post was helpful, but I have questions: Security PHP RESTful API
I setup codeigniter to store sessions in a table. I have secured using SSL.
Is a Session ID the same thing as a Token?
Do I need to set anything manually in a Auth Header? If so whcih side? On the REST server or in Angular?
I should point out that there are two facets to the app. One part behind a login, and one not.
Assign a token(random-string) to each user account. User should request all web services with a token.
Validate token on behalf of each user and then expose data.
I have an existing third-party PHP Web Application (ELGG) that I would like to extend with a Node.js Application. Users are authenticated in the PHP app by checking their provided credentials against a MySQL database.
How can I secure access to the Node.js app without having to rewrite authentication code in Node? Is there some way to allow users to access the Node.js app only if they're logged in to the PHP app?
You could use a DB or some other shared repository to store the users session id, which Node can check to ensure the user is logged in.
I think the best way to approach it would be to have the PHP and the Node applications operate as subdomains of the same root domain, then have the Node application check for the PHP app's auth cookie. This would avoid the extra database call in Irwin's answer.
Once the user logs in to the PHP app, a Cookie with an authentication token is created for phpapp.mydomain.com (*.mydomain.com). The Node application, hosted at nodeapp.mydomain.com, can access the cookie auth token created at phpapp.mydomain.com.
In general, you would make the Node.js app a web service, make it available locally and not publicly, then write PHP code which performs auth, then calls the API provided by Node.js, then constructs a response for the user using that data.
I wrote an Elgg plugin which provide functionnality to access node.js server for websocket. You can check the code here: elgg-nodejs
I just parse the cookie to get session user:
getElggSession = function(socket) {
return socket.handshake.headers.cookie.match(/Elgg=(\S*);?/)[1];
};
Maybe it's not the best method for security...