I am developing a new api using rest api php. This API can only operate securely over SSL/TLS. All API requests must be made over HTTPS. Calls made over plain HTTP will fail and the api client must authenticate for all requests. What can we do.
I have used RestServer Controller for this.
A fully RESTful server implementation for CodeIgniter using one library, one config file and one controller.
Here is the link:- https://github.com/chriskacerguis/codeigniter-restserver
Just go through the implementation.
Hope this help.
Related
I am trying to setup API authentication for APIs that I have created using PHP. My website, (Client) has been created using React. I have been researching and I cannot find anything that explains what I need to know. One of the main resources I am using is the PHP documentation:
https://www.php.net/manual/en/book.oauth.php
The things I am struggling with is the generating of the tokens, what information do I use in the creation of tokens? How do I setup my APIs to be classed as a protected resource?
From the understanding that I have about oauth, The client will send a request to the server for a request token. Once it has the request token, in the callback, it will request an access token using the request token. The access token will then be used to request access to the API. Does that sound right?
Any help would be greatly appreciated.
Oauth is pretty complex to implement, and is mostly used in situations where 3rd parties need to authenticate you users in their own code, or where there are complex authentication requirements.
Your case seems to be pretty simple, have you considered just using session/cookie based authentication, or using tokens generated on the server side?
How to set up rest server and client.
I read the tutorial https://code.tutsplus.com/tutorials/working-with-restful-services-in-codeigniter--net-8814.
I got idea about restfull services , and rest server work fine , but rest client not.
My problem is I dont get the idea about rest client spark , And the given link CodeIgniter Curl library: http://getsparks.org/packages/curl/show was down , So cant get this.
How do I get this ?
The client mentioned in the post is merely for testing purposes. It is not part of the REST server.
What you need to set up in your code is the REST server library, method of authentication, database tables (if using any), and the controllers that will map your endpoints.
The client concept represents any device/application that will be consuming from or sending data to your REST service through the HTTP methods.
You could be using postman for your testing. It is free and open-source, and very intuitive to use.
I am building my first rest API for an iOS app.
The framework I use for buidling the API is Laravel.
Everything works great so far but I am not sure on how to log users in using the API.
Could sessions work here? Im already using SSL/HTTPS but I dont wanna authenticate users on each
request, so whats the best way to only make them log in once?
Also, should oAuth work fine here?
If you have any examples on how to log users in on a Laravel built api please share.
Thanks in advance
With my experience, Laravel built in Authentication component is just be able to applied to normal authentication via form, session and cookie. To handled API authentication, I have used these methods, hope that one of them is suitable for you.
OAuth 2
With the help of lucadegasperi/oauth2-server-laravel, you can make your API secured via OAuth flows. More documentation can be found at the package wiki on Github or the PHP League Oauth2 home page. You can use filters to secure your API routes as follow:
Route::get('protected-resource', ['before' => 'oauth:scope1,scope2', function() {
// return the protected resource
}]);
However, OAuth need a database to save client credentials and some more settings, if your API is not so complicated, this solution may not suitable.
HTTP Authentication
This solution is more simple than OAuth and I recommend using it with an SSL (HTTPS) connection because the authentication information can be visible why using this. The packages I used before is Intervention/httpauth. You have two options with authentication method by using this package: basic (send a base64 encoded of the combination username:password via HTTP header) or digest (use MD5 algorithm to encode your information before sending via HTTP header). This solution does not required any database.
I have a main website (which contain all data) and multiple client websites which fetch data from the main website. Each client website has access to different set of data on main website. I want to create a PHP based web API for this. This is my first API so I am not sure what is the best and most secure way to do this.
After some googling I found OAuth to be the most common authentication method for APIs. however in my case I want the client website to be configured once and then the communication should be automatic, i.e. communication should take place in background without any user interference. Is OAuth required for this scenario?
Or is there any other method I can implement here?
oauth is way to complicated to implement for your needs.
If you are using rest, i suggest using a basic-auth in the header and using SSL so that your communication is encrypted.
You could make a small SecurityFilter that checks if for any request with a url pattern /api/ that the basic-auth is correct and that it use SSL...
It really depends on how you are exposing your API.
If you are using REST, HTTP Basic Auth over HTTPS is sufficient. I see a lot of people try to implement their own solutions when the provided approach is quite sufficient.
If you are using SOAP, there is a SOAP-based approach you could use: WS-Security (which is just a standard using anything from SAML assertions to OAuth tokens).
If passing Basic Auth credentials over HTTPS is too "open" for you, in that the credentials are saved in config on the client server somewhere, OAuth2 is probably the best solution. Doing OAuth on the server side wouldn't require any user interaction. You just store your tokens in a server config and let the OAuth library take care of the rest. PHP has a library for this PHP OAuth Library. There are plenty of OAuth2 libraries for PHP. Just Google it.
After some more googling and research I found answer to my question:
The scenario I explained is an example of 2-legged oauth (one can find many articles about 2-legged and 3-legged oauth)
Also, OAuth is not difficult to implement, infact for a developer with good knowledge of API and Auth system its very easy.
Here's a link of very good php OAuth library with example code http://code.google.com/p/oauth-php/
I have an API written in PHP that works by receiving HTTP POST requests, the API will then process the request and output some XML.
I have an Android application that is communicating with this API successfully.
My question is how do I make this secure?
I was looking into using OAuth, but for PHP it uses a library that is not available to me.
Plus as the API is not public and only to be used by external applications created by myself, this seems a bit overkill.
What other suggestions would you recommend? I was looking at sending an API key/signature along with the POST request.
It should be done the same way you make javascript calls secure. You use sessions. You should be able to send and receive headers, why not accept cookie-like data? At least session_id. Securing with SSL for open wifi hotspots would also be very beneficial if you use symmetric authentication.
OAuth has a different purpose - its when your website starts to host third party applications that users want to use without giving this app own password.