search

mevdschee / php-crud-api

Single file PHP script that adds a REST API to a SQL database
MIT License
3.6k stars 1.01k forks source link

Impossible to get authorized when using the Db Authentication #824

Closed ulrick closed 2 years ago

ulrick commented 2 years ago

Hello! I need a help on the use of the database authentication.

I would like to thank you for your work and for this great library

mevdschee commented 2 years ago

Thank you for creating this issue.

log a user in by username and password

You need to hit the /login endpoint and retrieve a valid session cookie (that you should sent on subsequent requests).

What should the http header authorization look like in this case ?

If you use "basic auth" the username and password should be provided in the authorization http header.

May I combine the database authentication with another type of authentication?

That should be possible

I would like to thank you for your work and for this great library

Thank you for your kind words, Maurits

ulrick commented 2 years ago

Hello! I'am still not able to make it work by combining the apiKeyAuth. This is my configurations:

-request header in the angular auth.interceptor.ts: image

Should the key be encrypted? What Am I doing wrong ? Thank you.

mevdschee commented 2 years ago

Hi, thank you for creating this question. You should use the "apiKeyDbAuth" instead of "dbAuth" and "apiKeyAuth" middlewares, unless you will be letting people login. The key should not be encrypted. Also you should be set the order of the middlewares correctly. I think you want to apply the "apiKeyDbAuth" before the "dbAuth". Kind regards, Maurits

mevdschee commented 2 years ago

In the tests I use this order:

cors,apiKeyAuth,dbAuth,authorization

As you can see here: https://github.com/mevdschee/php-crud-api/blob/main/tests/config/base.php

mevdschee commented 2 years ago

Can you share the goal(s) of the "errors" middleware? I'm curious what works best in real world scenarios.

ulrick commented 2 years ago

Hello! Thank you for the answer.

mevdschee commented 2 years ago

You need to enable session cookies for the dbAuth to work correctly (I don't think you also need apiKeyAuth if you do), see: https://developers.google.com/web/updates/2015/03/introduction-to-fetch#sending_credentials_with_a_fetch_request

fetch(url, {
  credentials: 'include'
})

In Angular 2 it would be:

let options = new RequestOptions({ headers: headers, withCredentials: true });

Something like that (credentials, withCredentials) should do it.

see: https://stackoverflow.com/questions/42289817/angular-2-get-cookie-from-response

mevdschee commented 2 years ago

Any update?

mevdschee commented 2 years ago

closing due to inactivity.

ulrick commented 2 years ago

Hello!

Sorry! I was not available these last 20 days.

Impossible to make it work. My problem is not with the authentication but the authorization I think. I can easily get authenticated with dbAuth, but I can not make any other request after being authenticated.

My api.php is on an OVH site but the client (currently in development) will be deployed in a firebase container (production). I think I have this issue because of the cross origin.

I will deactivate the api.php middleware and continue without authentication. I will try to use firebase authentication instead or any other type.

Thanks very much for your time and helps.

mevdschee commented 2 years ago

Notice the 'set-cookie' header in the response, see whether or not your next request contains the cookie. I think the cookie jar is not working.

ulrick commented 2 years ago

The next requests do not contain the cookie. May be my localhost and not secured environmment does not allow sending cookie automatically? I will try the scenario with a prod environnement to see if it works. I will close the issue for the moment and comeback if any other update.

Thanks very much!