I'm writing a simple RESTful service, using Phil Sturgeon Rest Server. I want to protect my methods by using the API key provided with this library.
Unfortunately, this is not very well documented and I'm a bit lost.
I want to authenticate users (email/password), then generate an auth key to send on every other requests. But it seems that I already need the auth key to generate one ... Create a dummy key does not seem very secure. Sorry if it is a dumb question, but what should be the best practice?
If you are familiar with other APIs you'll notice a common pattern. I recommend an authenticate method where the user passes their email and password, which will return a generated unique auth key. The auth key would be like a session id, think of how cookies work. Then all the other API methods should check $this->post('auth') and you need to compare this with your session handler (i.e. database or sessions), before you process each request.
Seems like a lot of code huh? Nope.
All your models should have an overloaded constructor:
class MyAPIController extends Rest_controller
{
public function __construct()
{
parent::__construct();
if(!authCheck($this->post('auth'))){
returnFailedResponse();
exit();
}
}
Then write you API normally, like in the examples on Phil Sturgeon's website. http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/
Make a model that has authCheck to test that the auth key is valid, and make a method for returnFailedResponse to return a 401 Unauthorized.
In another controller, lets call it 'Auth', use the above contructor.
Now every call to your api should set a header for the Auth. Ex. 'Auth: 12m34k23b'.