0

I am working on building a rest api just to learn and I am stuck on the login flow and how it should work.

Here are some facts about my api so far:

  1. My api is written in php.
  2. I am using http basic auth to get the username and password of the requestor. Once I grab it with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] and check the credentials against my database table 'apiuser' to authenticate.
  3. I also have a table called 'users'. This table is meant to be the end users that will use the websites and apps that are written on my api.

Here are my questions:

  1. If I want to authenticate a user (not an apiuser) what should my rest api url look like? I have read enough to know that verbs are bad so I am leaning away from https://api.mysite.com/users/login So should it just be

    METHOD: GET
URL: https://api.mysite.com/users
HTTP BODY: {"username":"xxxxxx","password":"xxxxxx}

and just return for success

    HTTP CODE: 200
    HTTP BODY: {"id_user":"xx","username":"xxxxxx","screenname":"xxxxxxx"}

and for invalid logins

    HTTP CODE: 404

I think this is the way to go, because isn't a login attempt really just like running any other GET with some parameters? In other words, would authenticating be any different than doing something like

    HTTP METHOD: GET
    URL: https://api.mysite.com/users
    HTTP BODY: {"age":"72"}

EDIT

This api is intended to be used by only me. The idea is that I write an api and then I can write a backbone.js site, and iphone app, android app etc... on top of it. It is not meant to be for the public. So that is why I avoided diving into OAuth quite yet.

Gilberg
  • 2,514
  • 4
  • 31
  • 41
  • Pretty good answer here: http://stackoverflow.com/questions/9386930/rest-api-authorization-authentication-web-mobile – Lawrence Cherone Jan 20 '14 at 16:40
  • @LozCherone OAuth is complicated.. and scarey. – Flosculus Jan 20 '14 at 16:41
  • Thanks, but I have already decided against Oauth, at least for right now. I am using http basic auth. I may use the api for projects in the future but for now it is more of a learning experience. My main questions are about the verb in the url and if my assumptions on how to execute the user login, not api login are close. – Gilberg Jan 20 '14 at 16:44

1 Answers1

2

I POST the username and PW to the api:

http://www.mysite.com/api/authenticate/ (username and PW included in the POST collection)

That returns a long, unique token which i generate on the server.

A token is then required in request headers for all other requests. All pages (except authenticate) require a valid token or they return an error.

A login attempt is then a POST because it inserts a token record.

http://www.mysite.com/api/deauthenticate/ destroys the token (assuming a valid token is included in the header)

(also because the token is in the db, I can deauthenticate a user, requiring another login whenever I want - eg, after 10 minutes or 10 hours)

ssaltman
  • 3,623
  • 1
  • 18
  • 21
  • 1
    Thanks for the answer. I am wrong at avoiding verbs like authenticate and login? Or is it ok, if you have a token resource, then you might call it token instead of authenticate. Also, my main question is about authenticating users not apiusers. I am leaning toward hanlding the session on the client end and leaving the rest api completely stateless. – Gilberg Jan 20 '14 at 16:50
  • 1
    Rest is supposed to be stateless, so yes to that. In terms of verbs, I think the jury is out whether that really makes sense to try and implement, though perhaps more strict coders will disagree. I'm a bit more loose. I prefer my api calls to be intuitive without being inaccurate, so token would certainly work for me and you could make it a get since you are "getting" it, but I would make it a post since the actual action within the db is to create a token. – ssaltman Jan 21 '14 at 00:07
  • After I made this post I started to think a little more about user authentication, which led me to my next question, please check it out here http://stackoverflow.com/questions/21246744/rest-api-without-login-for-users-is-more-simple-but-is-it-right – Gilberg Jan 21 '14 at 00:28