Custom REST API Action with Security

PHPMaker General Discussion (PHPMaker)
1

I want to created a REST API where only the login user can access it
$app->get(‘/Info/{input}’, function ($request, $response, $args) {
if(Security()->isLoggedIn()){

}
}

I call the API with JWT header
And I want to check whether the user is login or not
Security()->isLoggedIn() is not working and
global $Security;
$Security->isLoggedIn() is also not working

How can I check the user is login or not in the REST API

2

Make sure you add your API action by the Api_Action event (not Route_Action event) and you call your API by the route “/api/Info/xxx”, otherwise your handler is not called.

3

Yes I have added the API under → function Api_Action($app){ }
the API call also working
$app->get(‘/Info/{input}’, function ($request, $response, $args) {
$input = $args[“input”] ?? null;
$result = array(“InputData”=>$input);
$response = $response->write(json_encode($result));
return $response;
}

I can call the above API by “/api/Info/xxx”

And it can be access by everyone.
But I want to give access to this api action “Info” only to the api with the header JWT token.

In my custom code how can i check that the user is login or the api has a valid JWT token.
if(JWT Token is valid){
return ----
}
else return ----

4

From the source code, if the JWT header is valid, the JWT middleware will login the user. If Security()->isLoggedIn() return false, that means there is not valid JWT header or the user is not valid. You may debug by checking, e.g. var_dump(Security()).

5

My error is on the process I am calling the API. The code I have use to Call the API is

//Get the JWT Token
$username = “abc”;
$password = “abc”;
$url = “xxx/api/login”;
$curl = curl_init();
$curldata = array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => “”,
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => “POST”,
CURLOPT_POSTFIELDS => array(“username”=>$username,“password”=>$password),
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => 0,
);
curl_setopt_array($curl, $curldata);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo “cURL Error #:” . $err;
} else {
$resp = json_decode($response);
$jwttoken = $resp->JWT;
}

here I check the var_dump($jwttoken); // I got the token here.

//call the REST API with JWT Token
$url2 = “xxx/api/Info/25865”;
$curl = curl_init();
$curldata = array(
CURLOPT_URL => $url2,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => “”,
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => “GET”,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => 0,
CURLOPT_HTTPHEADER => array(
“X-Authorization: $jwttoken”,
“content-type: application/json”
),
);
var_dump($curldata);
curl_setopt_array($curl, $curldata);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo “cURL Error #:” . $err;
} else {
$result = json_decode($response, true);
}

var_dump($result);

//here I got the result for the userlevel -2 means the result for not login with JWT
Please kindly help where I have done the mistake

6

Just add this condition:

if (CurrentUserLevel() != -2) {

// your code to run API

}

7

singh wrote:

  		CURLOPT_HTTPHEADER => array(
  			"X-Authorization: $jwttoken",
  			"content-type: application/json"
  		),

The header is wrong, see the JavaScript version in the topic REST API ->Authenticate User with JWT (JSON Web Token) in the help file:

request.setRequestHeader(‘X-Authorization’, 'Bearer ’ + store.JWT);

You need to add 'Bearer ’ before the JWT token.

8

arbei wrote:

You need to add 'Bearer ’ before the JWT token.

On the API Calling script I have add the “Bearer” as
CURLOPT_HTTPHEADER => array(
“X-Authorization: Bearer $jwttoken”,
“content-type: application/json”
),

But still I am unable to access the REST API with Security
on the REST API I try as
$result[“userlevel”] = CurrentUserLevel();
$response = $response->write(json_encode($result));
return $response;

I got the return as {“userlevel”:null}

9

Try adding the JWT Middleware in your route to process the JWT token:

$app->get(‘…’, function ($request, $response, $args) {
//…
})->add(new JwtMiddleware());

10

Thanks
It is working now

And is there any other option to access the API by token which is unique to every user.
On the Authentication Table we will increase a field with “token” and the user token will be store.

By using this token the user can access the API
eg.
/api/gfjurulj14sgfh2434–MYTOKEN/Info/xxx"

11

singh wrote:

By using this token the user can access the API
eg.
/api/gfjurulj14sgfh2434–MYTOKEN/Info/xxx"

If you use that format, that means there are different actions, you should not do that. You may use, e.g.

/api/Info/xxx/gfjurulj14sgfh2434–MYTOKEN

and you check the token yourself in your action.