1

I'm using codeIgniter to create a service for an app. I have created an endpoint where the user id is passed in as a parameter and then json data for that user is output. On the app when the user logs in I create a JSON token on the server side. I would like to validate this token before the json data from the endpoint is output. I'm not sure how i should go about this. Should i check the token before loading the view in my codeIgniter controller?

I have a profiles_model which includes the following method:

function get_profile($user_id){
        //this function takes in a user_id as a parameter and gets that user's data from the profiles table in the database
        $this->db->from('users');
            $this->db->where('userID', $user_id);
        $query = $this->db->get();
                return $query->result();    //return the result 
    }

and I have a Profiles controller class which includes the following method:

public function get_profile($user_id){
        //this method gets the basic profile info of a user depending on what user id is passed in as a parameter.
        //there are 6 profiles so user id should be between 1 to 6 to return any data 
        $this->load->model('Profiles_model');   //load our Profiles_model
        //create an empty array to store the profile info
        $data['profile'] = array(); 

        foreach($this->Profiles_model->get_profile($user_id) as $key => $value){
            array_push($data['profile'], array('user_id' => $value->userID, 
                    'username' => $value->username,
                    'profile_image' => $value->profileImage,
                    'email_address' => $value->emailAddress));
        }
        //load our json_output.php view and pass in the $data array.
        $this->load->view('json_output', $data);
    }

json_output.php view:

<?php

defined('BASEPATH') OR exit('No direct script access allowed');

if(isset($profile)){
    $output = $profile;
}

$this->output
->set_content_type('application/json', 'utf-8') //content type will be json
->set_output(json_encode($output, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES));

?>

To create the token for login on the app i'm using the JWT php class.

$token = array();
$token['userID'] = $id;

$data['usertoken'] = JWT::encode($token, 'secret_server_key');
echo json_encode($data); //echo back to client side

for subsequent http requests on the app im sending the token as POST and authenticating it on server side

if(isset($_POST["usertoken"])){
    $token = JWT::decode($_POST['usertoken'], 'secret_server_key');

    echo $token->userID; //this will be not available if the token has been tampered with
}

I would like to use this code (where i check the usertoken post variable) in my endpoint but im not sure where to put it. should i put it in the json_output.php view? thanks

my function in Javascript on client side to retrieve Json.

function generateUserProfile(user_id){
    var url = 'http://www.example.com/app_data/index.php/profiles/get_profile/' + user_id;
    $.getJSON(url ,{format: "json"}).done(function(data){
        var profile_image = "http://www.example.com/" + data[0].profile_image;
        var profile_username = data[0].username + '<i class="fa fa-pencil edit"></i>';
        var profile_email_address = data[0].email_address + '<i class="fa fa-pencil edit"></i>';
        $("#profile_pic").attr('src', profile_image);
        $("#profile_username").html(profile_username);
        $("#profile_email_address").html(profile_email_address);
    }); //end $.getJSON
}
Sarah
  • 1,943
  • 2
  • 24
  • 39
  • After echoing back the encoded token, are you inserting it somewhere into the html document ? And may ask why are you returning the profile json data inside a view and not directly from the controller ? – DavidDomain Sep 03 '16 at 17:09
  • @DavidDomain hi. thanks.i'm storing the token in local storage when it comes back.. you see I want the user to stay logged in to the app until they log out. so if they close the app, then next time they open the app, they don't have to enter login details but i check that the user token in local storage is valid by posting it to the server. to answer your next ques: i just learnt codeIgniter in college recently and we were told to do it strictly MVC for an assignment a few months ago. for this project, i never thought of outputting it from the controller. would that be better for this purpose? – Sarah Sep 03 '16 at 17:29
  • @DavidDomain I learnt about the token authentication here: http://stackoverflow.com/questions/29179790/working-example-of-implementing-token-based-authentication-using-json-web-tok – Sarah Sep 03 '16 at 17:34
  • So basically check if the remember token exists in local storage, before doing anything else. If it does make a post request with the toke, which will be handled by a method inside a controller taking care of authentication features of your app. You already have everything you need. What exactly are you having trouble with? – DavidDomain Sep 03 '16 at 18:58
  • thanks. i have it working a bit better now. was confused with how to send the token over to my codeIgniter service. but what ive done now is: on the client side, instead of using .getJSON I am using $ajax so that i can post the token over to the url and receiving the json back. also i have taken out the view as you suggested. one quick question. is it safe to insert things like username, email address etc into the html on the app? (say for instance in a user account area on the app) – Sarah Sep 03 '16 at 19:11
  • 1
    Inserting username and email should not be a security issue as long as you do not insert authentication data like passwords, not even encrypted or hashed password, just don't. To send your remember token along side on each request without having to add it to individual ajax requests you can use `$.ajaxSetup({ headers: { 'token' : 'token-from-local-storage' } })` take a look at [jQuery.ajaxSetup()](https://api.jquery.com/jquery.ajaxsetup/). Happy coding. ;) – DavidDomain Sep 03 '16 at 19:39
  • great! thank you for your help. much appreciated :) – Sarah Sep 03 '16 at 20:09
  • @DavidDomain hi. can i ask you another question regarding user login/ authentication? i didn't want to post it as a full question it might be seen as too general. its about social login. thanks – Sarah Sep 12 '16 at 09:40

0 Answers0