Authentication for a Symfony2 api (for mobile app use)

Marc picture Marc · Jul 19, 2011 · Viewed 16.7k times · Source

I've developed a REST api for my Symfony2 application. This api will be used by a mobile app. Much of the functionality is done in the context of the currently authenticated user, ie:

$this->container->get('security.context')->getToken()->getUser()

I'm hoping that the mobile app will be able to post to the login action just like a traditional web form. If the credentials check out then Symfony2 does it's thing and sets a cookie (does this even work in the context of a mobile app accessing an api?). Then later api requests from that mobile phone will (hopefully) work with the native symfony2 security.context service container.

Would this work? I need to figure out this authorization process before I take the API to the mobile developers. If possible I'd obviously like to be able to use the native security.context service instead of building out a new auth system for the api that uses xAuth or something similar.

Thanks

Answer

julesbou picture julesbou · Jul 21, 2011

I think you should do it stateless (without cookie).

I had the same problem, what i did:

  • in your app/config/security.yml, add:
security:
    ...
    firewalls:
        rest_webservice:
            pattern: /webservice/rest/.*
            stateless: true
            http_basic:
                provider: provider_name
    ...
  • Now you can make a request to your webservice:
class AuthTest extends WebTestCase 
{
    public function testAuthenticatedWithWebservice() 
    {
        $client = $this->createClient();

        // not authenticated
        $client->request('GET', '/webservice/rest/url');
        $this->assertEquals(401, $client->getResponse()->getStatusCode());

        // authenticated
        $client->request('GET', '/webservice/rest/url', array(), array(), array(
            'PHP_AUTH_USER' => 'username', 
            'PHP_AUTH_PW' => 'password'
        ));
        $this->assertEquals(200, $client->getResponse()->getStatusCode());
    }
}