i created an application with some models, after that, i used ACL and created some ACOs to protect my Application.
Now i wanted to add a RESTful API to my application, so i edited routes.php with something like that
Router::mapResources('routes');
Router::parseExtensions();
this also works fine, for example going to http://localhost/myapp/routes.json gives me a json object of my routes if i'm already logged in
shure, somebody cannot do a login with a web-form when he is using my API, so i want to know if it is possible to send the regular login informations with the request using REST Auth Basic (or Digest) and use the working ACL in my App to authenticate and show the result object (or if its wrong, send the right header)
any ideas?
if something is unclear, PLEASE leave a comment
i used the newest cake php version 1.3.3
If you look at other API based services, usually they use token to identify user. For example if there is username matt and he has token 123456, you can give him access to url http://localhost/myapp/123456/routes.json. Then, in your controller, you can authenticate the user by using token.
http digest authentication is possible when javascript is used to handle the authentication process, non-javascript clients default to having the standard popup.
Probably they won't mind though.
Info found at http://www.peej.co.uk/articles/http-auth-with-html-forms.html :
The main reason people walk away from
using HTTP authentication is that they
want control over the look of the
login form and most browsers display
an awful looking dialog box. So what
we need is a way for HTML forms to
pass HTTP auth data when it's
submitted. The HTML spec provides HTML
forms as a way to create queries and
to POST urlencoded data to a URL, but
can we subvert it?
It comes with a warning :)
Warning: The solution outlined in this
article is experimental and might be a
complete lie, be warned that your
mileage may/will vary.
Related
I am new in API. I am supposed to develop an API that allows our content provider to give information pertaining soccer whereby he is supposed to create matches,update matches etc .I would like to know how to create a REST API in php that allows a client to enter the information. So far,I have created an API but I dont know how to enable the client enter the information.
Informations:
It is the basic form that you have to create and then you must allow the user to submit the form datas that he/she has filled and you have to post the data to the route that you have created.
You must submit the data and then you have to make the submitted data to be json_encode() so that it will work for the API.
Or Else if you are not designing the form and other such things you can directly go in for the API ADD ONS that the Firefox and the chrome has . Assuming you are using the chrome or Firefox as browsers.
https://addons.mozilla.org/en-US/firefox/addon/restclient/
https://addons.mozilla.org/en-US/firefox/addon/rest-easy/
https://chrome.google.com/webstore/detail/postman/fhbjgbiflinjbdggehcddcbncdddomop?hl=en
Okay, assuming that you created a REST API already, download the Advanced REST client chrome extension: https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo
I hope that answers to your question.
P.S: May I know what framework did you use to design your REST API ? Additional details can help you further.
Building REST APIs is atually a rather easy task. That's primarily what I work on at work all day. If you have to use PHP (I'm a fan of PHP, so don't take that comment the wrong way :) ), I would reccommend using a framework like Laravel.
The logic to handle the information once it's requested wouldn't change. You would just need to make your requests/responses REST compliant.
Here is a great tutorial for doing just that!
Also, since you use Yii, this tutorial is probably better. I've never used Yii, so I can't really vouch for it, though.
I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.
I am wanting to build an API first RESTful application in PHP. I have never attempted to do this so I have some questions about how to handle PUT and DELETE
So for an example if I have a API endpoint that updates a User profile, should I make it accept BOTH a POST and PUT Request?
If I was building a Client for my API as a Desktop app or iOS app, etc it would be easy to send a PUT request to my API but I plan to have a Web based app for my API as well.
So on my web based app, I would have an HTML Form to Update a User profile, this would then be sent as a POST as HTML Forms do not allow PUT requests.
Could someone with more experience with this explain the best way to handle my example scenario?
Would the proper way be to send my Form as a POST to my PHP script, then my PHP script would make a proper PUT request to my PHP API with cURL?
You can absolutely also do PUT requests from browsers, but you need javascript.
Generally I would say a good way to think about it, is as follows:
First build a great REST api that follows all the rules. Only once you are at that point, think about the workarounds you need to make it work in other contexts. Submitting an HTML form is a valid thing to need a workaround for.
However, since 'POST' is completely open for interpretation, and has little rules associated, one option would be to create a single resource (or url) on your server that handles all the POST requests coming from browsers. (something like /browserpost).
You could always add a hidden <input> field with name="url" that specifies which resource was actually intended to be updated, and an <input> with name="method" value="PUT" for the intention.
You will need to add CSRF protection anyway, so I feel this would be a solid way to deal with this this. 1 endpoint to specifically 'proxy' html-based form submissions and internally do the appropriate mappings to the correct REST services.
I would use GET POST PUT DELETE as they are described in HTTP. That's restful (in my opinion). As regular browser forms does not support this I would send the data via AJAX.
If you really need to use browser forms, maybe because javascript is not enabled, then using POST requests with a param like ?method sounds like a suitable solution - although I don't like it.
I have been having a goosey around the login functions of stackexchange, and I have noticed that depends on what you click, it adjusts a form with either OAuth information, or OpenID information in the form of the query which submits the form to a script inside of stackexchange, and I was wondering if anyone had the information for how the script would communicate with that particular service and use the returned information to login, as well as fetching additional information about that account from the service.
If anyone has any scripts or snippets, PHP would be preferred.
The Janrain OpenID Libraries are pretty good. They have a few quirks when it comes to extending them, but I think for your purposes they will be fine.
Facebook does NOT do OpenID. For Facebook you will need to use a different library (and that is something I have not done, so I cannot comment on it).
I wanted to find out how to login to another site via PHP... I don't know the proper term for it, but basically, I want a user to be able to enter their login information for another website on mine, and interact with it through mine.Is there any tutorial?
thanks
There are few ways to do the job (actually, you just need to send POST data to the other site).
You can use :
curl (example: http://davidwalsh.name/execute-http-post-php-curl),
stream context (example: http://php.net/manual/en/function.stream-context-create.php),
or directly with sockets (example: http://www.jonasjohn.de/snippets/php/post-request.htm).
curl will do that PHP, cURL post to login to WordPress
but you will need that installed on the server which is sometimes not an option. There is however loads of scripts that can do the same thing as curl without the curl libs installed, eg: cakephp's HttpSocket class
as already stated, Curl will do that.
But you can also check out this PHP Class that makes everything easier and gives you a lot of automation out of the Box
Including Prefilling of CSRF Token, finding of all input fields, retrieving of details from the designated site. etc
the class can be found Here. Crawl Engine