search

jhuesser / bzu-jodel-clone

This webapp is a clone of the famous studend app jodel (jodel.com). This is a project for school. Alpha state, not relased yet.
GNU General Public License v3.0
5 stars 3 forks source link

implement secured API #170

Open jhuesser opened 7 years ago

jhuesser commented 7 years ago

The application should handle a secured API.

Clodmony commented 6 years ago

One does not simply tell cloudy to secure the api

jhuesser commented 6 years ago

just do it

Clodmony commented 6 years ago

@jhuesser alles klar

jhuesser commented 5 years ago

ehhhh

jhuesser commented 1 year ago

To implement authentication and authorization for the API using the auth.php file, you would need to do the following:

First, you would need to include the auth.php file in your API script, using the require_once function: Copy code require_once 'auth.php'; Next, you would need to initialize a session using the session_start() function. This would allow you to store and retrieve information about the current user's session, such as whether they are logged in and their username: Copy code session_start(); You would then need to define a $config array that contains information about the configuration of your authentication and authorization system. This array would include the following keys and values: 'login': the path to the login page that should be served to users who are not logged in. 'audience': the intended audience of the JWT. 'time': the time at which the JWT was issued (this can be set to the current time using the time() function). 'ttl': the time-to-live for the JWT (this determines how long the JWT will remain valid). 'algorithm': the algorithm used to sign the JWT. 'secret': the secret key used to sign the JWT. 'redirectUri': the URI that the user should be redirected to after they log in. 'validate': a callback function that is used to validate the user's username and password. This function should return true if the username and password are valid, and false otherwise. For example, the $config array might look like this: Copy code $config = array( 'login' => 'login.php', 'audience' => 'example.com/api.php', 'time' => time(), 'ttl' => 5, 'algorithm' => 'HS256', 'secret' => 'my_secret_key', 'redirectUri' => 'example.com/api.php', 'validate' => function ($username, $password) { // Validate the username and password here... return true; }, ); You would then need to handle the different HTTP methods that the API may receive. If the API receives a GET request, you should call the handleGet() function from the auth.php file, passing it the $config array and the current $_SESSION array as arguments. This function will either serve the login page to the user if they are not logged in, or redirect them to the URL with the JWT if they are logged in. For example: Copy code

xxxx@jhuesser.ch continue

Copy code if ($_SERVER['REQUEST_METHOD'] === 'GET') { handleGet($config, $_SESSION); } If the API receives a POST request, you should call the handlePost() function from the auth.php file, passing it the $config array, the current $_SESSION array, and the $_POST array as arguments. This function will validate the user's login credentials, and if they are valid it will update the $_SESSION array and redirect the user to the URL with the JWT. For example: Copy code if ($_SERVER['REQUEST_METHOD'] === 'POST') { handlePost($config, $_SESSION, $_POST['username'], $_POST['password']); }

Copy code

  1. If the API receives any other HTTP method (e.g. PUT, DELETE, etc.), you should return a "405 Method Not Allowed" error to the user.

    For example:

else { header('HTTP/1.1 405 Method Not Allowed'); exit; }

Copy code

  1. Finally, you would need to implement the API endpoints that you want to make available to users. In each of these endpoints, you should first check whether the user is authenticated by checking the $_SESSION array and the JWT provided in the request. If the user is not authenticated, you should return a "401 Unauthorized" error to the user.

    For example:

if (!isset($_SESSION['username']) || !verifyToken($config, $_SESSION['username'], getTokenFromRequest())) { header('HTTP/1.1 401 Unauthorized'); exit; }

Copy code

Once you have verified that the user is authenticated, you can then implement the logic for the API endpoint. For example, you might use the $_SERVER['REQUEST_METHOD'] variable to determine which CRUD operation the user is requesting (e.g. create, read, update, delete), and then use the appropriate SQL statements to access the database and return the requested data to the user.

I hope this helps