A
A
Almik Oh! Give me a guitar2014-11-06 11:13:19
Yii
Almik Oh! Give me a guitar, 2014-11-06 11:13:19

Yii restful: how to make authentication between app and website?

Hello !
There is a rest api by which you can get data. Moreover, only those programs or users who have a password and login can receive data.
Of course, I came up with something, but I would like to know if there are other advanced
options?

<?php

class ApiController extends Controller
{
  private $password = "121212";
  private $login = "webservice"; 

  Const APPLICATION_ID = 'ASCCPE';

  private $format = 'json';
  
  public function filters()
  {
      return array();
  } 

  public function actionIndex()
  {
    echo CJSON::encode(array(1, 2, 3));
  }

  public function actionLaundry()
  {	
    $this->_checkAuth();
    if( !isset($_GET['id']) )
      $this->_sendResponse(500, 'Error: Parameter <b>id</b> is missing' );

    if( !isset($_GET['selected']) )
    {
      $ldap = new LdapComponent();
      $result = $ldap->getInfoStudent($_GET['id']);
  
      if(is_null($result)) {
        $this->_sendResponse(404, 'No Item found with id '.$_GET['id']);
      } else {
        echo "<pre>";
        print_r($result);
        echo "</pre>";
        //$this->_sendResponse(200, $this->_getObjectEncoded($_GET['model'], $model->attributes));
      } 
    } 
    else {
      switch( $_GET['selected'] )
      {
        case 'bedsets':
          echo "<script>alert('Laundry:BEDSETS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'softbeds':
          echo "<script>alert('Laundry:SOFTBEDS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'personal':
          echo "<script>alert('Laundry:PERSONAL BELONGINGS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'history':
          echo "<script>alert('Laundry:HISTORY info of student ID = '+'{$_GET[id]}')</script>";
          break;
        default: 
          echo "<script>alert('ERROR: Wrong Laundry Module!')</script>";
      }			
    } 
  }

  public function actionSport()
  {
    if( !isset($_GET['id']) )
      $this->_sendResponse(500, 'Error: Parameter <b>id</b> is missing' );

    if( !isset($_GET['selected']) )
    {
      $ldap = new LdapComponent();
      $result = $ldap->getInfoStudent($_GET['id']);
  
      if(is_null($result)) {
        $this->_sendResponse(404, 'No Item found with id '.$_GET['id']);
      } else {
        echo "<pre>";
        print_r($result);
        echo "</pre>";
        //$this->_sendResponse(200, $this->_getObjectEncoded($_GET['model'], $model->attributes));
      } 
    } 
    else {
      switch( $_GET['selected'] )
      {	/*
        case 'bedsets':
          echo "<script>alert('Laundry:BEDSETS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'softbeds':
          echo "<script>alert('Laundry:SOFTBEDS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'personal':
          echo "<script>alert('Laundry:PERSONAL BELONGINGS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        default: 
          echo "<script>alert('ERROR: Wrong Laundry Module!')</script>";
        */
        case 'history':
          echo "<script>alert('Sport Center:HISTORY info of student ID = '+'{$_GET[id]}')</script>";
          break;
        default: 
          echo "<script>alert('ERROR: Wrong Sport Center Module!')</script>";
      }			
    } 
  }

  public function actionIdsupport()
  {
    if( !isset($_GET['id']) )
      $this->_sendResponse(500, 'Error: Parameter <b>id</b> is missing' );

    if( !isset($_GET['selected']) )
    {
      $ldap = new LdapComponent();
      $result = $ldap->getInfoStudent($_GET['id']);
  
      if(is_null($result)) {
        $this->_sendResponse(404, 'No Item found with id '.$_GET['id']);
      } else {
        echo "<pre>";
        print_r($result);
        echo "</pre>";
        //$this->_sendResponse(200, $this->_getObjectEncoded($_GET['model'], $model->attributes));
      } 
    } 
    else {
      switch( $_GET['selected'] )
      {	/*
        case 'bedsets':
          echo "<script>alert('Laundry:BEDSETS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'softbeds':
          echo "<script>alert('Laundry:SOFTBEDS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        case 'personal':
          echo "<script>alert('Laundry:PERSONAL BELONGINGS info of student ID = '+'{$_GET[id]}')</script>";
          break;
        default: 
          echo "<script>alert('ERROR: Wrong Laundry Module!')</script>";
        */
        case 'history':
          echo "<script>alert('Recovering ID card:HISTORY info of student ID = '+'{$_GET[id]}')</script>";
          break;
        default: 
          echo "<script>alert('ERROR: Wrong Recovering ID card Module!')</script>";
      }			
    } 
  }   

  /**
   * Sends the API response 
   * 
   * @param int $status 
   * @param string $body 
   * @param string $content_type 
   * access private
   * return void
   */
  private function _sendResponse($status = 200, $body = '', $content_type = 'text/html')
  {
    $status_header = 'HTTP/1.1 ' . $status . ' ' . $this->_getStatusCodeMessage($status);
    // set the status
    header($status_header);
    // set the content type
    header('Content-type: ' . $content_type);

    // pages with body are easy
    if($body != '')
    {
      // send the body
      echo $body;
      exit;
    }
    // we need to create the body if none is passed
    else
    {
      // create some body messages
      $message = '';

      // this is purely optional, but makes the pages a little nicer to read
      // for your users.  Since you won't likely send a lot of different status codes,
      // this also shouldn't be too ponderous to maintain
      switch($status)
      {
        case 401:
          $message = 'You must be authorized to view this page.';
          break;
        case 404:
          $message = 'The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found.';
          break;
        case 500:
          $message = 'The server encountered an error processing your request.';
          break;
        case 501:
          $message = 'The requested method is not implemented.';
          break;
      }

      // servers don't always have a signature turned on (this is an apache directive "ServerSignature On")
      $signature = ($_SERVER['SERVER_SIGNATURE'] == '') ? $_SERVER['SERVER_SOFTWARE'] . ' Server at ' . $_SERVER['SERVER_NAME'] . ' Port ' . $_SERVER['SERVER_PORT'] : $_SERVER['SERVER_SIGNATURE'];

      // this should be templatized in a real-world solution
      $body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
            <html>
              <head>
                <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
                <title>' . $status . ' ' . $this->_getStatusCodeMessage($status) . '</title>
              </head>
              <body>
                <h1>' . $this->_getStatusCodeMessage($status) . '</h1>
                <p>' . $message . '</p>
                <hr />
                <address>' . $signature . '</address>
              </body>
            </html>';

      echo $body;
      exit;
    }
  } 
  // {{{ _getStatusCodeMessage
  /**
   * Gets the message for a status code
   * 
   * @param mixed $status 
   * access private
   * return string
   */
  private function _getStatusCodeMessage($status)
  {
    // these could be stored in a .ini file and loaded
    // via parse_ini_file()... however, this will suffice
    // for an example
    $codes = Array(
      100 => 'Continue',
      101 => 'Switching Protocols',
      200 => 'OK',
      201 => 'Created',
      202 => 'Accepted',
      203 => 'Non-Authoritative Information',
      204 => 'No Content',
      205 => 'Reset Content',
      206 => 'Partial Content',
      300 => 'Multiple Choices',
      301 => 'Moved Permanently',
      302 => 'Found',
      303 => 'See Other',
      304 => 'Not Modified',
      305 => 'Use Proxy',
      306 => '(Unused)',
      307 => 'Temporary Redirect',
      400 => 'Bad Request',
      401 => 'Unauthorized',
      402 => 'Payment Required',
      403 => 'Forbidden',
      404 => 'Not Found',
      405 => 'Method Not Allowed',
      406 => 'Not Acceptable',
      407 => 'Proxy Authentication Required',
      408 => 'Request Timeout',
      409 => 'Conflict',
      410 => 'Gone',
      411 => 'Length Required',
      412 => 'Precondition Failed',
      413 => 'Request Entity Too Large',
      414 => 'Request-URI Too Long',
      415 => 'Unsupported Media Type',
      416 => 'Requested Range Not Satisfiable',
      417 => 'Expectation Failed',
      500 => 'Internal Server Error',
      501 => 'Not Implemented',
      502 => 'Bad Gateway',
      503 => 'Service Unavailable',
      504 => 'Gateway Timeout',
      505 => 'HTTP Version Not Supported'
    );

    return (isset($codes[$status])) ? $codes[$status] : '';
  }

  // {{{ _checkAuth
  /**
   * Checks if a request is authorized
   * 
   * access private
   * return void
   */
  private function _checkAuth()
  {   
    $token = $_REQUEST['X_WEB_SERVICE_TOKEN'];
    $login = $_REQUEST['X_WEB_SERVICE_LOG'];
    $password = $_REQUEST['X_WEB_SERVICE_PASS'];

    if( empty($token) ){
      if( $this->login !== $login && $this->password !== $password ){
        $this->_sendResponse(401);
      } 
      else {
        //$date = getdate();
        //$month = $date['month']; 
        //$token = md5($login."?".$month."?".$password);
        $token = sha1( $this->login."?".$this->password );
        $_REQUEST['X_WEB_SERVICE_TOKEN'] = $token;
      }
    }
    else {
      $serverToken = sha1( $this->login."?".$this->password );

      if( $token !== $serverToken ){
        $this->_sendResponse(401);
      }
    } 
    
  } 

  // {{{ _getObjectEncoded
  /**
   * Returns the json or xml encoded array
   * 
   * @param mixed $model 
   * @param mixed $array Data to be encoded
   * access private
   * return void
   */
  private function _getObjectEncoded($model, $array)
  {
    if(isset($_GET['format']))
      $this->format = $_GET['format'];

    if($this->format=='json')
    {
      return CJSON::encode($array);
    }
    elseif($this->format=='xml')
    {
      $result = '<?xml version="1.0">';
      $result .= "\n<$model>\n";
      foreach($array as $key=>$value)
        $result .= "    <$key>".utf8_encode($value)."</$key>\n"; 
      $result .= '</'.$model.'>';
      return $result;
    }
    else
    {
      return;
    }
  } // }}} 
  // }}} End Other Methods
}
?>

Answer the question

In order to leave comments, you need to log in

4 answer(s)
A
Alexey Volegov, 2014-12-11
@EagleMoor

Not the best way to throw out all the code that is not relevant to the question.
In ideology, yes. You have one database for sessions, so you can pull out information about the current user. On the REST API, you have an x-token that authorizes the user, or is it a session id.
You can transfer this x-token to the site, and if it is in the header, then we do authorization using it or extract data from the session.

M
Mikhail Bazhenov, 2014-11-06
@benign

Use the authentication token
www.yiiframework.com/doc-2.0/guide-rest-authentica...

S
Stepan Krapivin, 2017-01-16
@xevin

To get started, put this writing on jsfiddle.net or codepen.io, after which you will have a better chance that someone will help you

A
Andrew, 2017-01-16
@AndrewHaze

Links have pseudo-classes :hover, :active, :focus, etc. Push back from them

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question