2

(I use PHP) I want to able users edit their profile via my RESTful api. Each user has unique id (something of public key, right?), and secret api key stored in the DB and no-one has access to this key ('even' no to the user himself. sub-question: can I display the user his secret key? I noticed that Facebook does it and even use it at their php-sdk).

So I read this answer - https://stackoverflow.com/a/8567909/410065, and decided that the way I want to implement (don't think there are another ways (?)).

As I understood, I need to make this call to update: PUT http://api.domain.com/user/4/?sig=..result of hash_hmac.., but my problem is that - how can I know the result of hash_hmac (to register the sig field) BEFORE i call it? Of course I should make two calls to hash_hmac - first to make the sig to sending the html form, and second to validate the user. but where I make the first call of the function? (It should be between the form submit and the RESTful call).

Community
  • 1
  • 1
Luis
  • 3,257
  • 13
  • 50
  • 59
  • Read about [OAuth](http://en.wikipedia.org/wiki/OAuth). This is an open standard to this problem and what Facebook and Co. use. – bitWorking Jan 20 '13 at 02:34
  • You need an OAuth server for example [this](https://github.com/quizlet/oauth2-php) one. Read more about the authentication flow [here](https://quizlet.com/api/2.0/docs/authorization_code_flow/). – bitWorking Jan 20 '13 at 02:40
  • I see, thank you. Is OAuth must? In addition, if the RESTful is for the website only (not to other developers, but users will update their profiles via the website's RESTful API), is it fine to using cookies / sessions to validate the user (validation will be executed inside the PHP function)? Isn't there 'offense' on the REST basics / theory? – Luis Jan 20 '13 at 03:12
  • Yes with OAuth you don't need sessions/cookies. The user must send a token with every request after he is successfully authenticated. – bitWorking Jan 20 '13 at 03:22
  • That I understood, I mean if I don't using OAuth and my REST api is only for my website and not for developers (please read from 'In addition..'). What about OAuth alternatives? what is the natural way to do that? The included answer I linked to, there in no reference to OAuth. – Luis Jan 20 '13 at 03:27
  • I don't really catch what you're trying to do. OAuth is not for developers but for users who wan't to have access to their private data with external devices or without logging in directly on the website. – bitWorking Jan 20 '13 at 03:37
  • I think there is a little confusion here. First, at my main question, I asked about RESTful like Facebook Graph Api, which enables to external websites/developers to do actions, such as get private data, and therefore (as I understood), I should using 'hardcore method' like OAuth to authenticate their identity. Later, I ask another question - if my RESTful is only for MY website, not to external developers, can I use to authenticate the identity at the regular method, by checking cookies for example (the user is already logged in to the website)? – Luis Jan 20 '13 at 03:58
  • 1
    Because RESTful should be stateless I would avoid using sessions/cookies. I found a discussion that could be interesting for you [here](http://stackoverflow.com/questions/319530/restful-authentication). – bitWorking Jan 20 '13 at 04:18

0 Answers0