0

I'm new to creating API's and I am making an API for my php site. Now in any case what I am currently doing is having my script do a cURL call to some php file which does all the processing. Aka im doing a POST call for example to an api file which lets say creates a forum post for that user. Now the important thing to me is how do I authenticate and retrieve which user is sending the data. So how do I know the cURL call came from my server?

What I was going to do is have my server have a secret key that is passed in the api call and verified by the api file. The api file would make sure the key is correct and then take whatever username was passed in for example to make a forum post. My only concern is if this key is ever found out im screwed. I also want to be able to have the site work lets say as an android app so I want to be able to make curl calls lets say (not sure if thats possible) and have some authentication key sent to my server but I never want the user to be able to packet inspect for the secret key.

So my question is how can I securely do curl calls, since when I do a curl call it doesn't read any of the $_SESSION values I have set (unless im missing something). Any help is much appreciated. I was also thinking of authenticating using the username and password each time the only problem is I kind of want to avoid having to verify that the username and password is correct every time an api call is done since thats going to be another query that has to be done. But if that is the recommended way or the industry way then ill do it that way. Just looking for how to handle everything the proper way.

user2443941
  • 59
  • 3
  • Do you know about OAuth and OAuth2? There is a good OAuth2 implementation for PHP: https://github.com/bshaffer/oauth2-server-php – Anorgan Jun 25 '13 at 07:40
  • The way I do it is every user created on the web interface is assigned a mobile key. When a user first runs the mobile app it asks for username and password. they are sent over https to the api which checks them and returns the user key for that user the user key is then passed to the api with every other call save full reauth. User key is expired once a month. Probably better solutions out there but it works for me I can also revoke them on command without resetting username/passwords etc. This doesn't allow mobile registration though that has to be done via web – Dave Jun 25 '13 at 07:41

1 Answers1

0

You should look into implementing OAuth then.

Neo
  • 876
  • 1
  • 9
  • 25
  • I have a question then, is their only certain things I should create an API for? And therefore a cURL call. Like user registration lets say should that be done by my controller file that hooks into my registration page. Or should I allow my controller to take all the data and send it via cURL to an api that cleans the data etc and creates the account. My biggest concern at the moment is what's the most efficient way for my server to authenticate api calls. At the moment and for the near future all my API calls will be done by the server and through ajax calls ajax will only be retrieving data) – user2443941 Jun 25 '13 at 07:48