How to authenticate Zend Framework 1 users to access Laravel 5 API?

Question

need your ideas.

I have a ZF1/Postgres application. It has its own users and all that. Now I would like the whole application to be API-driven. I started to build RESTful resources in a new Laravel 5 application. The Laravel app will talk to the same Postgres DB. Eventually, I want to get rid of all the DB calls within the ZF1 app, so that Laravel app is in charge of that.

The question is: I would like to add authorization for each API call, so that I know which users produce those calls and could act accordingly. What is the best way to authenticate users, so they could access Laravel endpoints?

Answer 1

If you want to use RFC-standard oAuth2 authentication, I would go with https://github.com/lucadegasperi/oauth2-server-laravel

Assuming you do, you'd probably want to use the "password" grant-type for internal authentication. Your client would hit the /oauth/access_token endpoint for a token using the user's username and password, which would return an access token good for the rest of the API.

To protect a route, you'd put it in the Route::group(['before' => 'oauth']...) section. To access an oauth-protected endpoint, you'd put the token in the HTTP header "authorization": "bearer ".

If you aren't using the standard laravel Users model, you may have to do a little tweaking. Most of it is covered in the oauth plugin wiki.

Answer 2

If the API is not public and there isn't any change to access it directly from the internet I wouldn't use any authentication. I would pass the userId in a custom http-header and and authenticate via Auth::loginUsingId(1) this will be cheaper then doing real authentication stuff. Therefore you have to map App\User to your existing user-table.

If you want to do real authentication take a look at RESTful Authentication

For inspiration on how to use Laravel for a REST-Service take a look at the dingo/api package (currently only Laravel 4, 5 is in progress).