I have an application on AngularJS. It is necessary to implement in it reading, writing and changing some data to / from the database. For this, as far as I understand, you need to create a REST server. My application will use server methods and thus realizes the task.

The application will be hosted on a cheap hosting, where only PHP is available from PL. I chose Yii2 as a framework because worked with him before. It turned out to sketch a minimal implementation of the REST server, but it came to authentication and problems started here. There are three authentication methods in Yii2:

  • HTTP Basic Auth: the access token is sent as the username. This approach should be used only when the access token can be safely stored on the subscriber side of the API. For example, if the API is used by a program running on a server.
  • Request parameter: The access token is sent as a request parameter in the API URL, i.e. approximately like this: https://example.com/users?access-token=xxxxxxxx . Since most Web servers store request parameters in their logs, this approach should be used only when working with JSONP requests that cannot send access tokens in HTTP headers.
  • OAuth 2: The access token is issued to the API subscriber by the authorization server and sent to the API server via HTTP Bearer Tokens, in accordance with the OAuth2 protocol.

I still do not understand which way to choose me? The API will be used only by my JS application, which will be hosted on the same hosting as the REST server.

  • I would in your place make authorization through social networks using oauth2 implicit flow - Ali
  • @Ali, authorization through the social network is already there and it works great. But how can she help me with my own API server? - Ilya Bizunov
  • all that is needed in your api server is the definition of userId, and userId can be calculated from the token received from the front. what kind of token you will have a worker you can decide for yourself. You can use the social network token directly, but then you have to check the correctness of the current on the backend side in each request. To get rid of this, you can authorize. For the first time, the front sends a social network token to the Beck, back to check the token, if valid, then it creates its token, binds to the user and transmits it to the front. from that moment on, the front saves this token to itself, and with each request in the header gives the backend. - Ali
  • @Ali, I have never written REST servers, so I apologize for the stupid ones. The question is how such a mechanism will protect me from the fact that the user can simply take this token, substitute in its request and throw in a virtual currency? - Ilya Bizunov
  • In the rest authorization scheme with a token only, anyone who knows the correct token can impersonate the owner of the token. As protection, you can make the token's lifetime short. Or you need additional protection like a token bundle with IP. If you need super security then you probably have to dig deeper. - Ali

0