Rest API and Sessions, how does Login work?

Asked

Viewed 2,455 times

4

I have always worked with PHP/Mysql and Javascript/jQuery. I have always connected PHP to the direct database, and I use login sessions.

I am currently working on a project where I use Angularjs for the frontend and PHP/Mysql for the backend as a kind of API to feed the main application with database data. Only that as I explained earlier, I always made use of sessions to handle the login, my question is: What is the best option to do this login and keep authenticated? Should I always send the user and password data to the API? To stay authenticated? Should I use some sort of expiration-time token? But in the case of a browser (web application), where would I store this token? Then I would still make use of sessions?

Anyway, I don’t know if I said anything silly, if so, please correct me.

php javascript mysql angularjs api

  • From what I understand, your question is about how to manage logins in the backend of an API, right?

  • Yes. But also, how can I store this authentication, since I won’t be using sessions.

  • Do you have any reason not to use sessions?

  • @Gabe does not prevent anything, but it is not a common standard of use because REST Apis can also be used by customers who do not have the session concept - for example mobile apps for Android and iOS. One of the patterns used in this case is the bearer token.

  • @lbotinelly Ah, it makes sense... I didn’t consider that the same API could be used for other customers. That’s what comes of never having worked with apps :D

  • @Gabe Live and Learn! I myself learned this a short time ago, matter of months. One of the advantages of the mechanism of bearer token is that you can simply revoke them en masse (like services like Google, Facebook and Twitter do when you change your password.)

  • So... That was my idea. I’m an Android/Java developer too. I was thinking of working with Angular/JS + Phalcon Micro framework (angular frontend and backend as a REST API), because I thought that the API in the future, in addition to powering my main application, could power a mobile application. In this case, I would need to implement some form of authentication that works in both cases. Bearer token you say is type Oauth 2?

  • @Thiagoyoithi if the answer helped, ends with the answer. Hugs.

Show 3 more comments

1 answer

1


The idea is to build a Restapi, it is stateless(does not maintain the status). Each user requests to Restapi a token, with that token it accesses the endpoints you need to query.

For this you assemble a register of each user, for the applications that will use your API. You deliver to the customer a client_secretand client_id for each application.

With the cliente_secret and client_id, the user can call an endpoint which will validate the information and return the token for each request.

Adapting to your case, imagine that each AJAX call(or $http, that uses Angular Background AJAX) you pass the token along with the call, internally you validate the Token and allow access.

For each token, you can create functions or (roles), ensuring public and partial access to your API. Or allowing applications to have a token for less or more time.

A suggestion personal, consider leaving some endpoints From your public API, sometimes your information can help others create more things on top of your API, which may end up bringing more value to your content. And depending on the access you can even charge for it.

This is the summary form that you work with a Restapi and the Uth, a careful look at the specifications and also the operation of other Apis, helps a lot in understanding the subject.

Follow some I particularly like to look at.

Github

Sharpener

Twitter

Instagram

  • Just remembering that while your response is not incorrect, adding a token to every request where the API should validate every request requires the backend to keep a status, so it would no longer be a stateless application.

  • 1

    @Williamokano Ná practices this token is stored next to the client... local Torage or cookies. It is sent in every request to the server. And returned in every response. The server is yes, stateless. Who guards the state is the front end. There are implementations that store in the database and send to the client, for example to ensure access only by a device

Browser other questions tagged php javascript mysql angularjs api

You are not signed in. Login or sign up in order to post.