Closed gesior closed 10 years ago
merlosy
commented
10 years ago Hi gesior! Thanks for your feedback
Q1: I'll see what I can do but it's probably going to take some time as I'm a debutant with angular and js in general. The idea is to build a http request with the right method. Maybe you can google some tutorials about this.. Q2: Yes no problem! Is there some more specific points you would like me do develop? Q3: ok I will do it.
Cheers
gesior
commented
10 years ago Q1: I found a lot of tutorials about Angular/jQuery AJAX queries to Laravel APIs, but I'm still not sure what I must put where (POST/GET, URL to controller, what in 'post'/'get' data). If you are not familiar with JS then you could write some cURL requests in format like:
curl -X POST -d ‘{“title”:”My First TODO”,”completed”:”no”}’ http://localhost/apitest/public/api/v1/todos/
curl -X GET -d ‘{“id”:”44”}’ http://localhost/apitest/public/api/v1/todos/ (you can assume that 'somehow' it store cookies like web browser)
Q2: Interesting is part with 'logout' action. Why do you pass there $user (from route 'v1/users/{userId}/logout)? Why doesn't it delete token with ID from Input::get('token')? As in 'logged_in' filter you check that he is logged (user sent token and it's valid)? Is it there to protect from some kind of attack or what?
I got one more question. Tokens store values 'device_id' and 'device_os'. Did you make it to demonstrate that 'there is possibility to view other users logged to X account [user]' or you have some plan how to get 'device_id'? User type it when he login? Generate it random in client application?
Thank you for answer. Gesior
merlosy
commented
10 years ago Hi Gesior
Sorry for the delay, I've been busy these days... Q1: I think it works with curl too. Make sure you use the right http method though: it could be GET, POST, PUT, PATCH, DELETE, if you follow the conventions for REST apis. Regarding the tests of your URLs, I usually use a google extension (Postman). See https://github.com/merlosy/laravel-restful-api-starter/wiki/Testing
Q2: Before logging out a user, I checked if he is logged in (with a filter). Then, the user_id is a bit of additional security: I check if the owner of the token matches the user id. It may not be necessary but maybe a token could have been stolen during a previous communication (if you are not using a secure channel, you can be exposed to a man-in-the-middle). This is also a reason why I'm considering using SSL, or a nonce (single use token) in a later version of the project.
Q3: I added the routes .../sessions so that a user can access all active sessions on any device. That way he could remotely logout from a device. As far as I know, unique device_id is managed in Android but it has been removed on iOS since version 7. So for the last one, you will have to generate it randomly when you first open the app (after install) and store it permanently on the phone. Make sure the key is unique, long enough and identify your app (you can use a hash like sha256).
Rgds,
Hello
I got 3 questions/requests: Can you upload somewhere client [or at least some code how to login/create account etc. with js/jQuery or AngularJS) to test that API? Can you describe (add some comments to code) why you did something 'this way'? Can you create 'database migrate'? I would like to test is with SQLite and MySQL.
Thank you for your great example 'how to create restful laravel api'. I hope you will have some time to answer my questions.