5

I am exploring the world of the REST API for the first time, I have already had to deal with it through the use of Slim, but now I want to be a homemade solution, considering that I don't need any framework for make a simple Rest Api. What I have done is create a page like this:

<?php
$method = $_SERVER['REQUEST_METHOD'];
$request = explode("/", substr(@$_SERVER['PATH_INFO'], 1));

switch ($method) 
{
  case 'PUT':
    echo "PUT";
    break;
  case 'POST':
    echo "POST";
    break;
  case 'GET':
    echo "GET";
    break;
  case 'DELETE':
    echo "DELETE";  
    break;
  default:
    handle_error($request);  
    break;
}

My goal is to implement an access token, I think passing it in the header but I'm not sure (I'm looking for a secure mode). However if I run this from the command line:

curl -X GET http://localhost/v1

I get GET, just to give an example of how it should work. And so for all other inquiries. Now the real question is: how can I call the methods in the switch only if I passed a token? For example, at the top of the page will be performed control will be carried out such a check:

if(!isset($_SERVER['AUTH_USER'])) 
{
    exit('TOKEN not provide');
}

Another question is how to pass the token via curl? Because if I do it through ... I can read the header via curl but how would it work?

UPDATE:

As mentioned by @Paradoxis I've tried with:

url http://localhost/v1 -H "Authorization: <token>"

but seems that I fail to take the header. I spend my time to understand why the header isn't passed, so in my code I've add this line:

print_r(apache_request_headers());

and this is the result:

Array 
(
   [Host] => localhost
   [User-Agent] => curl/7.46.0
   [Accept] => */*
   [Authorization] => <token>
)

How you can see in the request_headers I can see correctly in the header, but I can't catch it through the use of $_SERVER['Authorization'] or $_SERVER['HTTP_Authorization']

Dillinger
  • 1,823
  • 4
  • 33
  • 78
  • 1
    voted to close as duplicate. had a hard time selecting only 1 post, because the topic is so frequently discussed on SO. shows lack of research effort by author. also, the "real question" only appears towards the end of the post. dont believe that this can or should be salvaged. didnt DOWNVOTE, tho. – tony gil Feb 14 '16 at 11:44
  • 1
    @tonygil well I guess my question is little different against what you have proposed, sorry you didn't get the drift. – Dillinger Feb 14 '16 at 12:21
  • This sounds like a http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem What exactly do you want to do? Because you seem to mix the standard http authentication with a "custom" token based authentication (like Oauth or many others) – Gavriel Feb 15 '16 at 07:36
  • @Gavriel Hi, it's not a xy problem. I want implement a token access that is passed in each request for the API. Of course the token is customized, I don't know if this is the correct way or not. – Dillinger Feb 15 '16 at 08:23

2 Answers2

6

How you can see in the request_headers I can see correctly in the header, but I can't catch it through the use of $_SERVER['Authorization'] or $_SERVER['HTTP_Authorization']

Every time you need to see the the headers, or even any other information that you think should be available, I suggest you debug it like this:

var_dump($_SERVER);

Most probably you'll find it as: $_SERVER['HTTP_AUTHORIZATION']

Note: this is case-sensitive! Php takes the headers, capitalizes the key, changes "-" to "_" and prepends "HTTP_".

Note2: don't use a standard http header, like Authorization for your custom made tokens. That is for HTTP Basic Authentication. If you do implement your custom token, then use your custom http header for it.

Gavriel
  • 18,880
  • 12
  • 68
  • 105
  • What do you suggest as authentication token? – Dillinger Feb 15 '16 at 09:05
  • 1
    I did not say anything about the value, only the name of the header. You can use `Token`: for example – Gavriel Feb 15 '16 at 09:23
  • I mean, you suggest to use the header as access token or another technique? Anyway, I did a `var_dump($_SERVER);` and there is an index like this: `['AUTHORIZATION'] => string(6) "master" `. Now if I try to get it as `var_dump($_SERVER['AUTHORIZATION']);` or `var_dump($_SERVER['HTTP_AUTHORIZATION']);` I get `NULL`. I don't understand why. – Dillinger Feb 15 '16 at 09:41
  • I noticed that if I add this `RewriteRule .? - [E=AUTHORIZATION:%{HTTP:AUTHORIZATION}]` in the `.htaccess` I can get the `AUTHORIZATION` header correctly, but without it no header is valorized in the `$_SERVER` variable. – Dillinger Feb 15 '16 at 09:49
  • It might be because you're trying to use a http header that has a standard meaning. Try it with `Token` – Gavriel Feb 15 '16 at 11:48
  • you're right, thanks. Could I ask maybe some question here: http://chat.stackoverflow.com/rooms/102138/discussion-between-dillinger-and-ryan-vincent – Dillinger Feb 15 '16 at 12:02
3

You can pass headers with curl via the -H argument like so: 

curl http://localhost/v1 -H "AUTH_USER: <token>"
Paradoxis
  • 4,471
  • 7
  • 32
  • 66
  • Okay now is clear but. If I execute your command: `var_dump( $_SERVER['AUTH_USER']);` I get `Null`. Why? – Dillinger Feb 14 '16 at 11:20
  • @Dillinger Have you done a `var_dump($_SERVER)`? If I recall correctly, the header in your case will be prefixed, something like `$_SERVER['HTTP_AUTH_USER'])` although that specific one might be reserved for HTTP authentication. – jeroen Feb 14 '16 at 11:28
  • I set the token like this: `curl -X GET http://localhost/v1/ -H "AUTH_USER: "` I tried also with: `var_dump($_SERVER['HTTP_AUTH_USER'])` – Dillinger Feb 14 '16 at 11:30
  • @Dillinger `HTTP_AUTH_USER` is probably reserved. – jeroen Feb 14 '16 at 11:33