0

I am developing an API using PHP and got the authentication part, I'm using token authentication.

This is the logical sequence I want to implement.

  1. User Requests Access with Username / Password
  2. Application validates credentials
  3. Application provides a signed token to the client
  4. Client stores that token and sends it along with every request
  5. Server verifies token and responds with data

Example of use

user informs email and password, {"email":"emiry@hotmail.com", "senha":"123"}

I then send a token eiy@omlo3

whenever it accesses the API then it passes me that token

how will I know if this token is valid or not? will I have a function to validate the valid token? What is the logic to do this? to know if the token is valid

Emiry Mirella
  • 567
  • 1
  • 7
  • 21
  • I'd take a look at libraries like [firebase/php-jwt](https://github.com/firebase/php-jwt) and [rbdwllr/reallysimplejwt](https://github.com/RobDWaller/ReallySimpleJWT) – Timothy Fisher Jul 11 '18 at 22:06
  • When I made my API token setup, I would just validate that the token has a specific set of characters (letters/numbers) and then set that as the session id. Then I could start a session, check for a predefined key to see if it is valid and not a new session and access any/all account information stored there. When creating a new token, set that as the session id, then session start and set the account information and validation key. – Jonathan Jul 11 '18 at 22:54

1 Answers1

0

You could use the JWT (JSON Web Token) standard to learn more about this process. JSON web tokens are broken up into three parts all separated by a period:

header.payload.signature

The header is created by making claims about the token, for example its type and algorithm used:

$header = json_encode(['type' => 'JWT', 'algorithm' => 'HS256']);

More information on the difference between the signing algorithms

The payload contains important information that is used by the application, for example an identifier for a user. It can also contain other information like the expiration, issuer, etc:

$payload = json_encode([
    'user_id' => 56,
    // set expiration to 2 hours from now etc
]);

These can then by encoded with the base64_encode() and hash_hmac() functions.

The signature is a special part. It is a concatenation of the header and payload, with an appended "secret". The secret is a string that is only known by you and your application. Adding this to your token "signs" it, and makes it so that you're the only one that can properly validate it. This might be a good site to generate a "secret".

You would store the secret in a secure place outside of your publicly accessible folder, and retrieve it when needed (dotenv libraries are great for this). Those are all appended together and encoded to create your token and give to the client.

When you receive the token to validate, you can explode it into three parts since each is separated by a period, and then validate each piece to your liking. For example if you received a token you could do the following: 

// validate token in header.payload.signature format
$token = explode('.', $token);

$header = $token[0]; // header should be first
$payload = $token[1]; // payload should be second
$signature = $token[2]; // signature should be third

Remember the signature is a hash of the header, payload, and secret. So you could decode this, and compare it to $token[0] and $token[1] to ensure that the token was not tampered with, and finally make sure that the secret matches as well.

Reference: How to Create a JSON Web Token Using PHP

Timothy Fisher
  • 1,001
  • 10
  • 27