I've developed few web APIs in PHP using Slim framework which are used by mobile apps(iOS and Android) to process their requests and get the required data.
Eventually, in every API I'm sending the requests received from mobile app to the respective function present in a code base of my website. Then the respective function accepts the request and request parameters, process the request and returns the required data. Then the API returns the data to the mobile app in JSON format. This is the current work flow.
Now, I want to make the availability of website resources (i.e. functions from website's code base and data) subject to user authentication. In short, I want to implement 'Token Based Authentication' scheme in this scenario.
Following should be the flow after I implement 'Token Based Authentication':
When user first time logs in to the system by sending user name and password in an request to the login API, one security token will get generate upon successful verification of the user name and password combination for that particular user. This security token will also get stored into some MySQL database table along with the user name/password/some hashed value to identify the user in further processing. If the verification fails the security token should not get generate and the user should also not log in.
Upon successful login, the generated security token will be sent back to the user in success response of login API. Now until the user is logged in with each subsequent request this token will be sent to the concerned API and ultimately it will be sent to the authentication function for the authentication of it's validity.
If with any request an invalid token is sent then the "Please login first " message should be sent in response and the website resource should not get access.
Once user logs out this security token entry should be deleted from the database or whatever appropriate action should be taken on it.
Since, I'm working on 'Token Based Authentication' for the first time in my career I might be wrong with my above approach. If I'm doing anything wrong please correct my mistake/s.
I found following links but those I didn't find much useful since they are lacking working code example with step-by-step description :
PHP HMAC Restful API that uses Phalcon Micro framework
If you could provide me the entire code which consists the database table creation, connectivity between PHP and MySQL, then creation of security token, checking the validity of security token for the current logged in user, etc. it would be really great for me.
Also, if you could give the working code example for any of the above two (or both) options as your answer to this question that would also be very great. If you have any other option apart from the two I provided with complete working code example you are welcome with your answer.
N.B.:- Please don't suggest me to use OAuth authentication process.
Following is the code I tried on my own but I don't know whether it's right or wrong. Is my approach correct or wrong?
To create a token I use this function which takes as parameters, the user's data
define('SECRET_KEY', "fakesecretkey");
function createToken($data)
{
/* Create a part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"]; // It can be 'stronger' of course
/* Encoding token */
$token = hash('sha256', $tokenGeneric.$data);
return array('token' => $token, 'userData' => $data);
}
So a user can authentified himself and receive an array which contains a token (genericPart + his data, encoded), and hisData not encoded :
function auth($login, $password)
{
// we check user. For instance, it's ok, and we get his ID and his role.
$userID = 1;
$userRole = "admin";
// Concatenating data with TIME
$data = time()."_".$userID."-".$userRole;
$token = createToken($data);
echo json_encode($token);
}
Then the user can send me his token + his un-encoded data in order to check :
define('VALIDITY_TIME', 3600);
function checkToken($receivedToken, $receivedData)
{
/* Recreate the generic part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"];
// We create a token which should match
$token = hash('sha256', $tokenGeneric.$receivedData);
// We check if token is ok !
if ($receivedToken != $token)
{
echo 'wrong Token !';
return false;
}
list($tokenDate, $userData) = explode("_", $receivedData);
// here we compare tokenDate with current time using VALIDITY_TIME to check if the token is expired
// if token expired we return false
// otherwise it's ok and we return a new token
return createToken(time()."#".$userData);
}
$check = checkToken($_GET['token'], $_GET['data']);
if ($check !== false)
echo json_encode(array("secureData" => "Oo")); // And we add the new token for the next request
Am I right?
Based on our discussion, you could do something akin to OAuth2.0. I would recommend implementing the full spec, but since it is your application, you could make changes.
Here is a graph from RFC 6750
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| (Slim API) |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
In slim, you could have as few as three endpoints:
POST username/password:
/oauth/v1/authenticate/
returns { token: foo }
GET where {token} is your unique token
/oauth/v1/token/{token}
returns { username: joe, permissions['page:admin','users:full'], expires: 123456}
DELETE pass the {token}
/oauth/v1/token/revoke
replies with 200 OK and an empty body.
Now, how it works:
- When they auth, just return a JSON object with your
token, which the client stores in something like a cookie. - The client passes this to your resource server in a header as identified in the RFC section 2.1 (which looks up the user permissions in a database/nosql/whatever):
GET /resource HTTP/1.1
Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM
Your resource server contacts the Slim API on the back-end to determine your permissions. The server then decides what you're allowed to see.
If you don't like sending it as a header, see section 2.2, which describes how to send it in the body, or section 2.3 which sends it as a URI query.
These obviously do not need to be different servers. You can implement it how you wish.
You could do it this way.
Each user has a private key (a random alpha-numeric x long string) - which is unique to each user.
On every request, you can hash_hmac the request with their private key which will generate a unique request key for each user. For example:
Request:
GET /v1/products/coffee
Private key:
ww9k6fcysu30sbuzu7ez57z2kzvefyxwosrjcnwo
I would then generate a request key like;
hash_hmac("sha1", "GET /v1/products/coffee", "ww9k6fcysu30sbuzu7ez57z2kzvefyxwosrjcnwo");
This would give me a request key of: 45751dce6ef93655a71e7b82a6179591c346c2c1 for this GET request only. It will also ensure the client intended for this endpoint and hasn't been tampered with.
On the receiving end you would perform the same hash_hmac routine with the users private key (they would need to pass in their username in the request - for example - to perform a lookup to fetch the private key) and compare the two results.
hash_hmac("sha1", $_SERVER['REQUEST_METHOD'] . " " . $_SERVER['REDIRECT_URL'], $user_private_key);
For added bonus, you would get a hash for POST/PUT body content and append that in the request query string and authenticate that on the receiving end. For example;
$bodyhash = md5(implode(",", $_POST));
When a user logs out, deactivate the private key and assign them a new one on next login.
来源:https://stackoverflow.com/questions/29147654/how-should-i-implement-token-based-authentication-to-a-set-of-web-apis-in-a-se