user3142206 user3142206 - 24 days ago 10
PHP Question

Token Authentication Rest API Session

I am using SlimFramework Rest API and REST API is stateless. Before using this, i create a SESSION in server side then control in everypage. But now, idk how to control.

I have an api_key in my database for each user. After user signin, i response the api_key with rest api. And i redirect user to index.php. But i lose api_key. How can i pass the api_key to each page with javascript ? Because, if someone wants to data from my rest api, they have to send me an api key and also if the user logged in before, i dont want to show login page again.

Here is my rest api part :

$app->post('/userlogin', function() use ($app) {
verifyRequiredParams(array('email', 'password'));
$email = $app->request->post('email');
$password = $app->request->post('password');

$objUserRegLog = new UserRegistrationLogin;
$result = $objUserRegLog->getUserByEmailAndPassword($email, $password);
if (!$result) {
$response["error"] = true;
$response["message"] = "Error! Invalid e-mail address or password.";
} else {
$response["error"] = false;
$response["id"] = $result["id"];
$response["email"] = $result["email"];
$response["api_key"] = $result["api_key"];
}
echoResponse(200, $response);
});

$app->get('/students', 'authenticateStudent', function() use ($app) {
$objStd = new Students;
$result = $objCases->getAllStudents();
if (!$result) {
$response["error"] = true;
$response["error_msg"] = "An error occured.";
$status_code = 404;
} else {
$response["error"] = false;
$response["cases"] = $result;
$status_code = 200;
}
echoResponse($status_code, $response);
});

function authenticateStudent(\Slim\Route $route) {
$headers = apache_request_headers();
$response = array();
$app = \Slim\Slim::getInstance();

if (isset($headers['Authorization'])) {
$db = new DbOperation();
$api_key = $headers['Authorization'];
if (!$db->isValidStudent($api_key)) {
$response["error"] = true;
$response["message"] = "Access Denied. Invalid Api key";
echoResponse(401, $response);
$app->stop();
}
} else {
$response["error"] = true;
$response["message"] = "Api key is misssing";
echoResponse(400, $response);
$app->stop();
}
}


And i call with ajax :

$.signin = function() {
var inputVals = $("#form_signin").serialize();
$.ajax({
url : "api/v1/userlogin",
data : inputVals,
dataType : "json",
type : "post",
success : function(response) {
if (response.error) {
$(".popup").trigger("click");
$(".modal-title").html(response.message_title);
$(".modal-body").html(response.message);
} else {
window.location.href = "index.php";
}
console.log(response);
}
});
return false;
}

Answer

Well, you need to understand that every request the client sends to your server is independent, so you need to put a variable (the token) in the client system in order to let him to send it in every request, so you know who is talking to your server all the time. Start reading this: http://www.w3schools.com/php/php_cookies.asp

Once you understand what are and how cookies work, try to read further about authentication and authorization topics.