I am building an API using Zend Soap and there has to be some sort of authentication to actually use the API. Also I don't want the user credentials to be sent over the net each time a request is done.
Is it ok to do an post-authentication by using sessionids & something like this:
User authenticates himself once via SOAP and gets his serverside session id in return.
After that the User has to send his sessionid within the SOAP Header each time he requests something.
When I get an header containing a sessionid, I check the id against my sessionid_db and perform the request if everything seems alright.
Look into oauth? zend_oauth
Related
I have a CodeIgniter App that is made of 3 parts:
The API, basically is a separate entity, with its own location
The CodeIgniter back-end that renders the pages
The FrontEnd of the app, mostly jQuery.
I have a login system based on session and cookies. Basically the authentification data is stored on the client (browser).
A user authentificates with email and password. The backend looks for a authentification cookie and knows if it is logged in or not. If I make an AJAX request to the API directly, the API also knows if the user is authentificated.
Problem: I want to render some data server-side (That means I need to make a call to the API from the backend. It's a server to server communication. They are located on the same machine. ).
The API tells the backend that it's not authentificated, because obviously no cookie is set on the backend.
How do you pass authentification data from backend to api?
I might pass the userID via a secure endpoint that can be accessed only via the server to server communication, but I don't like the idea.
Any solutions to this? I read about oAuth and JWT but don't understand how they might help me.
the API should be built on top of the back-end. meaning the request is handled by API, then activates a function in the back-end and sends a response back to the client who sent the request(according to the result of the function in the back end). JWT json web token, is a token provider which means once you log in you get back a token "string" that is stored in the data base, in the request for the API you add the token to the header named Authorization instead of sending user and password everytime and you can extract the user info out of the token itself.but still there is need to check the validity of user and pass somehow at the first time.
basically you should send from client to API, API to server and then for response server to API and API to client. by server i mean back-end.
Our android app only has facebook login.
Here's what happens in server:
A user is created when a POST request is sent using facebook's user access token in body.
Whenever a user gets created via POST request, an api token is generated and sent as a response as follows:
{"message":"User Successfully Created","api_token":"ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo"}
I did this because the api token that is generated in the server is stored in android app's local storage and is needed to make other requests.
Now, if the user already exists in the server, the response would be
{"message":"User Already Exists!!","api_token":"ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo"}
This is in case the user deletes the app and installs again.
Now, to submit score, a PATCH request is to be sent with:
Headers:
Content-Type:application/x-www-form-urlencoded
api_token:ACITyBKf0jKrfqOFumTMcaEEJ8jU151crRdESMPmBj8zbeENslULHfNXlKeo
fb_id:xxxxxxxxxx
Body:
distance:2
golds:19
xp:23
(Note: I tested the above request using postman)
Now, the problem is that I spotted a loophole.
A person can find out their facebook user access token and their facebook id anytime. So, if they make a POST request with that user access token, they will receive the api_token (In the "User Already Exists!!" response). And once they have api_token and fb_id, they can make a PATCH request to modify their scores to whatever they want.
What am I doing wrong? How can I secure my server from being hacked like this?
Please help me. I am a beginner in api design.
Thanks
If their API token is available to them in the app at all, that's probably a bad thing. If its not available to them in the app, say they're just forging in-app POST requests and retrieving the raw data, then they're probably trying to hack or pentest the system.
If that's the case, maybe sending the unencrypted API key via POST in the first place is a bad idea. If their API key is all they need to start doing bad things to your system, why ever give it to them in the first place?
Because your app needs it to remember them. What about something like this:
New user, server md5 hashes their API key and sends it to them to be stored.
Existing user, server md5 hashes their api key and sends it to them to be stored (if needed)
Official Existing Score change occurs: app re-md5 hashes the already hashed api key, sends that with the PATCH request. Server has database with doubly hashed api keys which it finds yours and identifies you as the user, and things go on normally from there.
I'm working in an SPA (single page app), witch my idea is to deploy it in app.mydomain.com, and the thing is when a make a request to the API (CakePHP3 in mydomain.com) I cannot get data from authenticated user (if there is one).
I think I have two options, share session between domains, or use an user_token to make an authenticated call, but i'm not sure how it's works.
Any ideas / recomendations?
Regards!
I would recommend to use an "user_token". You could add an authentication endpoint to your API where the user sends the credentials and the endpoint returns an JWT. Then you should include this JWT in every subsequently request to your API (in the Authorization header). The API can then validate the request based on the JWT. In PHP there are already some good libraries to create and validate an JWT. If you have the time you should also take a look at OAuth2.
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.
I have been trying to connect to the Salesforce REST API but am not having very much luck.
The Salesforce REST API Quick Start Guide states that an HTTPS callback url is required, but then in the example they use https://localhost:8443/RestTest/oauth/_callback as the callback url.
I tried connecting on my testing server (HTTP) using this php Salesforce REST API example, but Salesforce seems to have had a fit and entered a redirect loop.
Is it possible to connect to the Salesforce REST API if I do not have an SSL Certificate, and if so, how might I go about doing so? For the record, my application is written in PHP, not Java like most of the official examples are.
For localhost it accepts http, and you should use https for other than localhost.
But the redirect URI in the request and the callback url in the connected app should get matched.
You can use http://localhost:8080/<any_page_in_ur_project> in both connected app and in request.
I've never used the Salesforce REST API, but I have read the page you linked to.
The OAuth callback URL must be HTTPS. You seem to have discovered this yourself, both in the documentation:
It must be secure: http:// does not work, only https://
...and the example:
#WebInitParam(name = "redirectUri", value =
"https://localhost:8443/RestTest/oauth/_callback")
As for your other question:
Is it possible to connect to the Salesforce REST API if I do not have an SSL Certificate, and if so, how might I go about doing so?
Presumably by the second method, as alluded to in the first sentence on the page you linked to:
You can set up authorization using OAuth 2.0 or by passing a session ID.
...
Session ID Authorization
You can use a session ID instead of an OAuth 2.0 access token if you aren't handling someone else's password:
Obtain a session ID, for example, a SOAP Web services API login() call returns the session ID. You may also have the session ID, for example as part of the Apex current context.
Use the session ID when you send a request to the resource. Substitute the ID for the token value.
So provided you aren't handling some else's password (whatever that means), you can use login() to get a Session ID and communicate with the web service from there.