How should I implement 'Token Based Authentication' to a set of web APIs in a secure way using PHP and MySQL (without using OAuth)?

Question

I\'ve developed few web APIs in PHP using Slim framework which are used by mobile apps(iOS and Android) to process their requests and get the required data.

Eventual

Answer 1

You could do it this way.

Each user has a private key (a random alpha-numeric x long string) - which is unique to each user.

On every request, you can hash_hmac the request with their private key which will generate a unique request key for each user. For example:

 Request:
 GET /v1/products/coffee

 Private key: 
 ww9k6fcysu30sbuzu7ez57z2kzvefyxwosrjcnwo

I would then generate a request key like;

hash_hmac("sha1", "GET /v1/products/coffee", "ww9k6fcysu30sbuzu7ez57z2kzvefyxwosrjcnwo");

This would give me a request key of: 45751dce6ef93655a71e7b82a6179591c346c2c1 for this GET request only. It will also ensure the client intended for this endpoint and hasn't been tampered with.

On the receiving end you would perform the same hash_hmac routine with the users private key (they would need to pass in their username in the request - for example - to perform a lookup to fetch the private key) and compare the two results.

hash_hmac("sha1", $_SERVER['REQUEST_METHOD'] . " " . $_SERVER['REDIRECT_URL'], $user_private_key);

For added bonus, you would get a hash for POST/PUT body content and append that in the request query string and authenticate that on the receiving end. For example;

$bodyhash = md5(implode(",", $_POST));

When a user logs out, deactivate the private key and assign them a new one on next login.