How to authenticate user with Fuelphp REST? - rest

I am new to Fuel PHP... I am working on a project with REST architecture in Fuelphp..... I didn't found any tutorial how to achieve the required functionality "User Authentication using Fuel PHP REST".
As REST server is stateless how do we use auth package of fuelphp in rest api?

As you also pointed, REST calls are somewhat stateless meaning you have no session to store.
The auth documentation has some methods which checks user credentials, but does not store authentication. There are no offical way of doing this.

One of the methods that I have used in the past is to use a token based system. You have an API token linked to an Auth user then this token is supplied in the Authorize header when making a request, the token is then checked against known tokens and if valid a forced login is performed with the Auth package.

Related

RESTful API with Google API and OAuth2

As the title says, I want to create a RESTful API (stateless) that will access Google API endpoints. First I want to authenticate the user and then use that token provided by Google to access Google Calendar API.
This is the current flow of the app:
Flow
Is there any other way to achieve this since my Nodejs service is signing an already signed JWT token provided by Google (I need to track expiration times for both access tokens)?
I am doing this because I don't want to use Google's access token for my own endpoint authentication.
This is a valid embedded token pattern, where the Google access token is just a custom claim in your own access token.
The client can call your API, using its main token
The API can authorize correctly, based on claims and scopes you have issued for your own data
When required, your API can use the embedded token to get external Google data the user has consented to
Your API should handle 401s from Google APIs in the standard way, as in this code of mine.
Your nodejs service is actually implementing 2 roles here. Consider separating these into a token service and a business service:
Token issuing. A technical job most commonly done by an authorization server.
REST API. A business focused component.

How to authenticate and authorize a user in username/password and google sign in?

The architecture of the system is like this
User can log into the website using either username-password approach (after registration) or a google-sign-in.
I want to know how can I implement authentication and authorization for this scenario.
Here is what I am thinking of implementing :
Have an REST API server built over NodeJS and Express.
The login and registration processes are handled by this server as well.
The authentication is done by using JWT Tokens stored in the client side. And these tokens are then used again for authorization of endpoints as well.
How much secure is this approach? And how can google sign in be added to this architecture.
And also if a seperate server for making auth requests is needed as mentioned in OAuth 2.0?
It would be better if the system remains Stateless to follow the principles of RESTFul APIs.
This post that I have written might give you some insight.
https://dev.to/ralphwjz/login-management-for-spa-and-everyone-else-12o6
The post covers Github login but if you replace GitHub with google, the rest of the flow is exactly the same.
I can answer more questions once in context

What is the advantage of a custom API in Auth0?

Question
I got a problem with understanding some basic thing about auth0, probably someone can help me out.
In the tutorial SPA + API one of the first lines in the TDLR is this:
Both the SPA and the API must be configured in the Auth0 Dashboard
I dont understand why I need to configure the API on Auth0. My code seems to work so can anyone help me understand if I do something wrong or what the advantages are if I actually add a custom API in my dashboard?
Setup
SPA (React)
Auth0
REST API (ktor)
What I do
Created a SPA on Auth0
Login on my SPA through Auth0 to get a JWT (google token)
Sending the JWT as authentication bearer in my calls to the REST API
REST API verifies the JWT token with a JWK provider using the Auth0 url mydomain.eu.auth0.com/.well-known/jwks.json.
Authentication seems to work
Great question, I am assuming that your authentication request includes audience parameter which represents your custom API(Rest API)right now. In oauth2 terms, it is called Resource Server. Each resource server can have many permissions which you include in the scope when initiating the authentication request. Let's step back and talk about the token format. Auth0 issues token in two formats:
Opaque strings: When not using a custom API
JSON Web Tokens (JWTs): When using a custom API
https://auth0.com/docs/tokens/reference/access-token/access-token-formats#how-does-all-this-affect-the-token-format-
As explained above link, the token format depends on the audience (Custom API) parameter. Therefore, when the authentication request includes audience, auth0 issues JWT token with all necessary permission. Then, you need to validate the JWT token in your API server before returning the resources to your front end client.
It should make sense why you need to create custom API in auth0 and define permissions. If you do not create custom API in auth0, there is no way to know what kind of permission you need in the token which will generate an error(invalid audience specified)

Forcing external apps to use the API

I have a website allowing authenticated users to submit and edit data. I also want to offer a REST API as part of a chargeable service.
Now the problem is that a non-paying user could theoretically use the same calls my website uses as API for authentication and sending data from his external application since it is very easy in the browser to see the endpoint what and how exactly the data is being sent to a website.
How can I protect my website from such usage and force the user to use API for external access?
Actually you cannot prevent people making requests to a public API. You can just validate the user when a request arrives. So there are more than one approach to solve this problem.
I would provide a token per session for each user and validate the rest API request at back-end.
Use OAuth2. So you will give paid user secret id and key then they will ask for the access token to access the API's using secret id and key.
Read about public/private key encryption https://en.wikipedia.org/wiki/Public-key_cryptography
Read about oAuth
https://oauth.net/2/
I have used passport to implement oAuth2 in laravel. passport is oAuth2 implementation and available in other languages also.

Laravel 5 REST Api

I am using laravel 5.1
I want to make login using REST api. I have searched about Sentry. But there is no documentation for Laravel 5. I don't know it will work with laravel 5. I just want to know what is the best way to login my laravel application using REST?
Laravel for Rest API development Good Choice
Even I am using it for Rest API development
For Login I am using a session field from database which acts as token for validating user accessing the API
so, if the request has the session token and it matches to the token from database then its a valid request
this approach is taken by me for validating request to my API, And every login I am resetting the token
How to create the token
Token should be able to identify the user i.e. which user is sending the token for that I am creating token by hashing userID + salt(Random and very long string).
How it works
User who is able to access the API sends login credentials, if the credentials are valid I am creating token for the user and storing the token in database with the user whose credentials are provided and sending the token value to the user as response and next time I am validating each request with the Access token
Recommendation
Instead of Laravel you can consider using Lumen(A micro-framework by Laravel) also for developing rest API.
For detailed information about rest and rest authentication
How to do authentication with a REST API right? (Browser + Native clients)
What exactly is RESTful programming?
What is REST? Slightly confused
RESTful Authentication