Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Codeigniter web services

I'm using Codeigniter 1.7. Does anyone have any experience of creating web services with PHP, particularly within the CodeIgniter framework? What are security measures need to consider while implementing web services? How to provide authentication with API keys?

Any Ideas?

like image 264
siva565 Avatar asked Mar 14 '12 04:03

siva565


People also ask

Is CodeIgniter GOOD FOR REST API?

Codeigniter is a well known framework for PHP application development. However, in the cases where the application needs to communicate across platforms, you do need a RESTful API. In almost all cases, REST API is an essential component of apps deployed on any PHP web hosting.

What is JWT token in CodeIgniter?

JWT stands for JSON Web Token, it is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWT is commonly used for Authorization , Information Exchange and etc.

What is CodeIgniter website?

CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.


1 Answers

It depends on the kind of web service you are inquiring about. Is the web service going to be a daemon for example? or a typical online web service. For either of these you must implement a RESTful type. RESTful meaning a stateless connection. This is where API keys are used; to identity a user for example.

Luckily Codeigniter is one with many libraries and extensions. An example of such libraries can be here: https://github.com/philsturgeon/codeigniter-restserver

Now for security concerns: API keys would replace sessions or any state. You would have to make full checks on the api. Many sites that implement APIs offer different solutions to the same end result.

Authentication with API keys are simple. You would check it against a storage type(database).

Here is a tutorial using codeigniter and the library linked previously: http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/

This might be somewhat vague, but since you dont have any specific problems or apparent needs its hard to be specific.

EDIT:

In that case it would be better implementing a RESTful interface so that your iphone app can also use all of the user functionalities that your service provides. The best way would be to make everything accessible in one way. Meaning not having different controllers / models for the iphone connections and web connections.

So for example you could have the following controller:

<?php

class Auth extends CI_Controller{

    public function login(){
      //Check if their accessing using a RESTful interface;
      $restful = $this->rest->check();
      if($restful){
         //Check for the API keys;
         $apiKey    = $this->input->get('apiKey');
         $secretKey = $this->input->get('secretKey');

         //If you have any rules apon the keys you may check it (i.e. their lengths,                 
         //character restrictions, etc...)
         if(strlen($apiKey) == 10 and strlen($secretKey) == 14)
         {
           //Now check against the database if the keys are acceptable;
           $this->db->where('apiKey', $apiKey);
           $this->db->where('secretKey', $secretKey);
           $this->db->limit(1);
           $query = $this->db->get('keys');
           if($this->db->count_all_results() == 1)
           {
             //It's accepted the keys now authenticate the user;
             foreach ($query->result() as $row)
             {
                $user_id = $row->user_id;
                //Now generate a response key;
                $response_key = $this->somemodel->response_key($user_id);
                //Now return the response key;
                die(json_encode(   array(
                                         'response_key' => $response_key, 
                                         'user_id' => $user_id
                                   )
                               )
                   );

             } //End of Foreach
           }//End of Result Count
         }//End of length / character check;
      } else {
        //Perform your usual session login here...;

      }
   }
}

?>

Now this is just a small example for performing these types of requests. This could apply to any type of controller. Though there are a few options here. You could make every request pass the apikey, and the secret each time and verify it at each request. Or you could have some sort of whitelist that once you have been verified the first time each request after that would be whitelisted, and or black listed on the opposite.

Hope this helps, Daniel

like image 76
Daniel Avatar answered Nov 20 '22 00:11

Daniel