REST API and client on same server, need API authentication?

Question

First, let me describe the application: we are working on a web-based software which is some kind of custom help desk application. It requires the user to login (we use FOSUserBundle). After login the user is redirected to the dashboard. From the dashboard there is no more page reload, the frontend is build on Angularjs and the user can get anywhere within the application without page reload. You could speak of a single page application.

So the data that is presented to the user, is fetched from a rest api (we use FOSRestBundle). This works quite well at this point.

There is some kind of dilemma. Only our staff will access this application (for now). So a staff member needs to login to access the helpdesk. The data that is pushed to the frontend via angularjs is called via api, so the user that has just logged in needs to authenticate again on every request because of rest.

Problem: Since the backend runs on symfony2 let us just try to get the user object of the currently logged in user when an api call is made:

$this->get('security.context')->getToken()->getUser()

returns anon. that stands for anonymous, or

$this->getUser();

returns just null.

So the authenticated context seems to be gone when using the rest api. However when I call an action directly without rest, I can get user information.

So what we need is to secure our rest api and get user information on every api call. We don't want third party people to access our application, just staff. I am not familar with OAuth, but the user will be redirected to a third party page to Allow/Deny access to his data? This would not be an option for us.

Based on that information, do you have any suggestions or ideas how to secure the api and transport the user data so that getUser does not return null or anon. but the actuall logged in user?

Answer 1

there's another way to resolve your problem.

It's by using Certificates. you can generate certificates then use Http tunneling (https obviousley), the server will ask for a certificate (you've to configure Apache for that but it's not a big challenge).

with this in place, you've to add a CertificateManageron the server side to ensure that the certificate is valid and to know who's calling the service (to be able to authenticate the user at each request), the CertificateManager(or what ever you'll call it) will probably have to be configured within you filters chaine (as known in the java world), et voilà

Hop that help you, Abderrazak