SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2010
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Custom API Authentication problem

    I am trying to create an API in Codeigniter, and I want the entire API to be private. What is the best way to authenticate each request?

    Is GET passing a username and password good practice.. i.e. http://localhost/api/admin/12345/user/get_data/1

    Here is my code, but at the moment I am just hardcoding the passwords, but need to figure out a way to dynamically pass them..

    PHP Code:
      function ci_curl($new_name$new_email)  
      {  
       
    $username 'admin';  
    $password '1234';  
      
    $this->load->library('curl');  
      
    $this->curl->create('http://localhost/restserver/index.php/example_api/user/id/1/format/json');  
      
    // Optional, delete this line if your API is open  
    $this->curl->http_login($username$password);  
      
    $this->curl->post(array(  
        
    'name' => $new_name,  
        
    'email' => $new_email  
    ));  
      
    $result json_decode($this->curl->execute());  
      
    if(isset(
    $result->status) && $result->status == 'success')  
    {  
        echo 
    'User has been updated.';  
    }  
      
    else  
    {  
        echo 
    'Something has gone wrong';  
    }  
      } 

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,061
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    I wouldn't recommend sending a username and password in the GET request, as GET parameters are too sensitive, may be cached if there are caching servers in play (which not be now, but could be added later?)

    Instead, I'd opt (and have used myself) for two-legged OAuth. A good example of how you can use that is over here: http://developer.yahoo.com/blogs/ydn...lient_example/

    The advantage of OAuth is (among others) that credentials are not sent over the wire in plain sight (except for maybe the initial token request), and it's not possible to replay requests (i.e., take a request somebody else fired earlier and fire it again).

    It's pretty much the de facto standard for APIs at this point.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •