Construct API with Token Validation

Questions
#1

Hello.

I’m trying to create an API to access custom content types. So, I have taken the approach to use Tailor/Twig, as explained in the most recent October CMS documentation.
My application will not need a front-end, because other web applications will fetch the content by using the API.
What I want to accomplish is:

  1. Define and create the interface for custom content types in the backend and prepare their respective API endpoints.
  2. Create the interface to generate and manage tokens for the backend users in the October CMS backend site.
  3. Add an authentication layer to the API, so that the token in the incoming request could be validated against those generated and activated for the authorized backend users.

By following the official documentation, and with some valuable help from the forum members, I have the point 1 almost solved.

Some guidance or advice regarding the points 2 and 3 would be greatly appreciated.

Best regards.

#2

Hi @jeraso did you get any further with this? I’m hoping to implement something myself. What I’m wanting to do is use something like Laravel Sanctum. :slight_smile:

#3

Hey @ncarps

We’ve since added a JWT implementation to the RainLab.User plugin, it’s very simple and could be adapted:

1 Like
#4

Hey up thanks for this - i’ll have a dig into it when i’m not several beers deep on a Saturday night :sweat_smile:

Are there any docs on this. In particular with using a routes.php file rather than an editor page? Is there are a middleware that can be used etc…

[UPDATE]

I found that there’s a \RainLab\User\Classes\AuthMiddleware::class middleware. I’ll give this a try.

#5

Hello.

I managed to implement JWT in my application, by using a plugin. More details here:

However, it seems that there is a better approach now, as suggested by @daft

Good luck!

#6

Hi @jeraso

I already managed to do it the @daft way. But ideally I want to authorise against a different (custom) model; so not having to install the RainLab user plugin.

I have a Project model that I’d like to give an access token to. I want to use that access token to make requests from a different application. I don’t need any of the oauth2 flow or any of that stuff. It seems pretty simple but auth stuff isn’t my strongest point to be honest.

I could probably write something of my own but it would be nice if there was a trait/middleware combo available for me to use.

#7

I have 2 applications. One that manages projects and tasks that provides an api, and another one that needs access to the other’s data via the api.

A Project has a unique ID and an access token.
The access token is a random 40 character string that’s then encrypted with php’s hash(‘sha256’) function and saved in the database.
The random string is shown only once after being created, and saved in the database on the second app, along with the project’s unique ID.

An incoming request has an Authorisation header with the content “Bearer xxxxx_RANDOM_STRING_xxxxxx”. Each request sends with it the Project’s ID.

I then have a middleware that does the following

  • Gets the bearer token from the request and hashes it using the same method as when it was created.
  • Gets the project id from the request body
  • Attempts to find a project in the system that has the same hashed token and project id
  • If a project is found, allow the request, and return a successful response, otherwise return a 401 or 403 response.

Would this be secure enough or am I missing something important that should be implemented?