0

I am using Codeigniter restserver for a social networking project. I want to access all my site functions (i-e login, getfriends, postcomments, uploadimages etc) through API. Now I have a question, should I put any type of authentication on API (rest_auth, key etc) or I should keep it open? How the API should be designed?

I believe by using restserver's own authentication settings in config, every function call will require authentication but in my case, I don't need authentication over login or signup functions.

Can I use my own session checks inside functions? or is there better approach as I believe restserver will definitely have something I am missing here.

iZeshan
  • 311
  • 2
  • 11

1 Answers1

1

If you wanna use your own sessions check, you can try the option session in $config['rest_auth'].

According the docs:

If you're tying this library into an AJAX endpoint where clients authenticate using PHP sessions then you may not like either of the digest nor basic authentication methods.

In that case, you can tell the REST Library what PHP session variable to check for. If the variable exists, then the user is authorized. It will be up to your application to set that variable.

You can define the variable in $config['auth_source']. Then tell the library to use a php session variable by setting $config['rest_auth'] to session.

Anyway, I wouldn't recommend you this option because, being a Social Network website, in the future you may like to have, for example, a mobile app which will need the access to this API. And there you won't have PHP sessions to check for.

For what I have read, OAuth2 is the best option to go for to secure our Rest APIs, but I don't know how to implement it yet.

For now, what I'm doing on my CodeIgniter REST API is to generate API Keys for each user. Those keys will have an expiration date. When the expiration date is reach, API Key is removed from the list and the user should re-authenticate (login) to get a new API Key.

Hope this helps you a bit. I'm also in this same search and that's the further I have get.

Community
  • 1
  • 1
Dani Aguado
  • 215
  • 1
  • 14
  • Thanks. I have decided not to write everything in API but I will create api for separate purpose (for specific purpose only) and everything else will be typical way without api. I know it will cost me lot of time if in future I will be developing an app for my project but right now at this stage this is the only solution I am willing to adopt. – iZeshan Aug 04 '17 at 04:38