Yii restful : как сделать аутентификацию между приложением и сайтом?

Question

[Almik Эх! Дайте мне гитару]

Здравствуйте !

Есть rest api по которому можно получить данные. Причем данные могут получить только те программы или пользователи которые имеют пароль и логин.
Я конечно кое-что придумал , но хотелось бы узнать есть ли другие продвинутые
варианты?

<?php

class ApiController extends Controller
{
	private $password = "121212";
	private $login = "webservice"; 

	Const APPLICATION_ID = 'ASCCPE';

	private $format = 'json';
	
	public function filters()
	{
			return array();
	} 

	public function actionIndex()
	{
		echo CJSON::encode(array(1, 2, 3));
	}

	public function actionLaundry()
	{	
		$this->_checkAuth();
		if( !isset($_GET['id']) )
			$this->_sendResponse(500, 'Error: Parameter <b>id</b> is missing' );

		if( !isset($_GET['selected']) )
		{
			$ldap = new LdapComponent();
			$result = $ldap->getInfoStudent($_GET['id']);
	
			if(is_null($result)) {
				$this->_sendResponse(404, 'No Item found with id '.$_GET['id']);
			} else {
				echo "<pre>";
				print_r($result);
				echo "</pre>";
				//$this->_sendResponse(200, $this->_getObjectEncoded($_GET['model'], $model->attributes));
			} 
		} 
		else {
			switch( $_GET['selected'] )
			{
				case 'bedsets':
					echo "<script>alert('Laundry:BEDSETS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'softbeds':
					echo "<script>alert('Laundry:SOFTBEDS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'personal':
					echo "<script>alert('Laundry:PERSONAL BELONGINGS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'history':
					echo "<script>alert('Laundry:HISTORY info of student ID = '+'{$_GET[id]}')</script>";
					break;
				default: 
					echo "<script>alert('ERROR: Wrong Laundry Module!')</script>";
			}			
		} 
	}

	public function actionSport()
	{
		if( !isset($_GET['id']) )
			$this->_sendResponse(500, 'Error: Parameter <b>id</b> is missing' );

		if( !isset($_GET['selected']) )
		{
			$ldap = new LdapComponent();
			$result = $ldap->getInfoStudent($_GET['id']);
	
			if(is_null($result)) {
				$this->_sendResponse(404, 'No Item found with id '.$_GET['id']);
			} else {
				echo "<pre>";
				print_r($result);
				echo "</pre>";
				//$this->_sendResponse(200, $this->_getObjectEncoded($_GET['model'], $model->attributes));
			} 
		} 
		else {
			switch( $_GET['selected'] )
			{	/*
				case 'bedsets':
					echo "<script>alert('Laundry:BEDSETS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'softbeds':
					echo "<script>alert('Laundry:SOFTBEDS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'personal':
					echo "<script>alert('Laundry:PERSONAL BELONGINGS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				default: 
					echo "<script>alert('ERROR: Wrong Laundry Module!')</script>";
				*/
				case 'history':
					echo "<script>alert('Sport Center:HISTORY info of student ID = '+'{$_GET[id]}')</script>";
					break;
				default: 
					echo "<script>alert('ERROR: Wrong Sport Center Module!')</script>";
			}			
		} 
	}

	public function actionIdsupport()
	{
		if( !isset($_GET['id']) )
			$this->_sendResponse(500, 'Error: Parameter <b>id</b> is missing' );

		if( !isset($_GET['selected']) )
		{
			$ldap = new LdapComponent();
			$result = $ldap->getInfoStudent($_GET['id']);
	
			if(is_null($result)) {
				$this->_sendResponse(404, 'No Item found with id '.$_GET['id']);
			} else {
				echo "<pre>";
				print_r($result);
				echo "</pre>";
				//$this->_sendResponse(200, $this->_getObjectEncoded($_GET['model'], $model->attributes));
			} 
		} 
		else {
			switch( $_GET['selected'] )
			{	/*
				case 'bedsets':
					echo "<script>alert('Laundry:BEDSETS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'softbeds':
					echo "<script>alert('Laundry:SOFTBEDS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				case 'personal':
					echo "<script>alert('Laundry:PERSONAL BELONGINGS info of student ID = '+'{$_GET[id]}')</script>";
					break;
				default: 
					echo "<script>alert('ERROR: Wrong Laundry Module!')</script>";
				*/
				case 'history':
					echo "<script>alert('Recovering ID card:HISTORY info of student ID = '+'{$_GET[id]}')</script>";
					break;
				default: 
					echo "<script>alert('ERROR: Wrong Recovering ID card Module!')</script>";
			}			
		} 
	}   

	/**
	 * Sends the API response 
	 * 
	 * @param int $status 
	 * @param string $body 
	 * @param string $content_type 
	 * access private
	 * return void
	 */
	private function _sendResponse($status = 200, $body = '', $content_type = 'text/html')
	{
		$status_header = 'HTTP/1.1 ' . $status . ' ' . $this->_getStatusCodeMessage($status);
		// set the status
		header($status_header);
		// set the content type
		header('Content-type: ' . $content_type);

		// pages with body are easy
		if($body != '')
		{
			// send the body
			echo $body;
			exit;
		}
		// we need to create the body if none is passed
		else
		{
			// create some body messages
			$message = '';

			// this is purely optional, but makes the pages a little nicer to read
			// for your users.  Since you won't likely send a lot of different status codes,
			// this also shouldn't be too ponderous to maintain
			switch($status)
			{
				case 401:
					$message = 'You must be authorized to view this page.';
					break;
				case 404:
					$message = 'The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found.';
					break;
				case 500:
					$message = 'The server encountered an error processing your request.';
					break;
				case 501:
					$message = 'The requested method is not implemented.';
					break;
			}

			// servers don't always have a signature turned on (this is an apache directive "ServerSignature On")
			$signature = ($_SERVER['SERVER_SIGNATURE'] == '') ? $_SERVER['SERVER_SOFTWARE'] . ' Server at ' . $_SERVER['SERVER_NAME'] . ' Port ' . $_SERVER['SERVER_PORT'] : $_SERVER['SERVER_SIGNATURE'];

			// this should be templatized in a real-world solution
			$body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
						<html>
							<head>
								<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
								<title>' . $status . ' ' . $this->_getStatusCodeMessage($status) . '</title>
							</head>
							<body>
								<h1>' . $this->_getStatusCodeMessage($status) . '</h1>
								<p>' . $message . '</p>
								<hr />
								<address>' . $signature . '</address>
							</body>
						</html>';

			echo $body;
			exit;
		}
	} 
	// {{{ _getStatusCodeMessage
	/**
	 * Gets the message for a status code
	 * 
	 * @param mixed $status 
	 * access private
	 * return string
	 */
	private function _getStatusCodeMessage($status)
	{
		// these could be stored in a .ini file and loaded
		// via parse_ini_file()... however, this will suffice
		// for an example
		$codes = Array(
			100 => 'Continue',
			101 => 'Switching Protocols',
			200 => 'OK',
			201 => 'Created',
			202 => 'Accepted',
			203 => 'Non-Authoritative Information',
			204 => 'No Content',
			205 => 'Reset Content',
			206 => 'Partial Content',
			300 => 'Multiple Choices',
			301 => 'Moved Permanently',
			302 => 'Found',
			303 => 'See Other',
			304 => 'Not Modified',
			305 => 'Use Proxy',
			306 => '(Unused)',
			307 => 'Temporary Redirect',
			400 => 'Bad Request',
			401 => 'Unauthorized',
			402 => 'Payment Required',
			403 => 'Forbidden',
			404 => 'Not Found',
			405 => 'Method Not Allowed',
			406 => 'Not Acceptable',
			407 => 'Proxy Authentication Required',
			408 => 'Request Timeout',
			409 => 'Conflict',
			410 => 'Gone',
			411 => 'Length Required',
			412 => 'Precondition Failed',
			413 => 'Request Entity Too Large',
			414 => 'Request-URI Too Long',
			415 => 'Unsupported Media Type',
			416 => 'Requested Range Not Satisfiable',
			417 => 'Expectation Failed',
			500 => 'Internal Server Error',
			501 => 'Not Implemented',
			502 => 'Bad Gateway',
			503 => 'Service Unavailable',
			504 => 'Gateway Timeout',
			505 => 'HTTP Version Not Supported'
		);

		return (isset($codes[$status])) ? $codes[$status] : '';
	}

	// {{{ _checkAuth
	/**
	 * Checks if a request is authorized
	 * 
	 * access private
	 * return void
	 */
	private function _checkAuth()
	{   
		$token = $_REQUEST['X_WEB_SERVICE_TOKEN'];
		$login = $_REQUEST['X_WEB_SERVICE_LOG'];
		$password = $_REQUEST['X_WEB_SERVICE_PASS'];

		if( empty($token) ){
			if( $this->login !== $login && $this->password !== $password ){
				$this->_sendResponse(401);
			} 
			else {
				//$date = getdate();
				//$month = $date['month']; 
				//$token = md5($login."?".$month."?".$password);
				$token = sha1( $this->login."?".$this->password );
				$_REQUEST['X_WEB_SERVICE_TOKEN'] = $token;
			}
		}
		else {
			$serverToken = sha1( $this->login."?".$this->password );

			if( $token !== $serverToken ){
				$this->_sendResponse(401);
			}
		} 
		
	} 

	// {{{ _getObjectEncoded
	/**
	 * Returns the json or xml encoded array
	 * 
	 * @param mixed $model 
	 * @param mixed $array Data to be encoded
	 * access private
	 * return void
	 */
	private function _getObjectEncoded($model, $array)
	{
		if(isset($_GET['format']))
			$this->format = $_GET['format'];

		if($this->format=='json')
		{
			return CJSON::encode($array);
		}
		elseif($this->format=='xml')
		{
			$result = '<?xml version="1.0">';
			$result .= "\n<$model>\n";
			foreach($array as $key=>$value)
				$result .= "    <$key>".utf8_encode($value)."</$key>\n"; 
			$result .= '</'.$model.'>';
			return $result;
		}
		else
		{
			return;
		}
	} // }}} 
	// }}} End Other Methods
}
?>

Answer 1

[Алексей Волегов]

Не самый удачный способ выкидывать весь код, который не относится к вопросу.

В идеологии так. У вас одна бд под сессии, соответсвенно вы можете выдернуть информацию о текущем пользователе. На REST API у вас есть x-token, который авторизует пользователя или это session id.
Вы можете этот x-token передать на сайт и если в header он есть, то делаем авторизацию по нему или извлечения данных из сессии.

Answer 2

[Михаил Баженов]

Используйте токен для аутенфикации

www.yiiframework.com/doc-2.0/guide-rest-authentica...

Comments

[Almik Эх! Дайте мне гитару]

У меня yii 1.1.5 и как известно оно не поддерживает аутентификацию и авторизацию веб-сервисов с коробки. Меня интересует следующее, существует ли расширения?