CodeIgniter Forums

Full Version: Restrict access to dev web app but allow JSON requests
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]jessejimz[/eluser]
Hi, CI world,

I've been developing on CI for a couple of years now. Most recently, I've been working on a web app that also exposes JSON apis to mobile clients. My goal is to block/restrict access to all views in my app but keep JSON apis open.

In other words, visitors should not be able to see our app on our dev server. But mobile clients should still be able to connect to our JSON apis.

Any one have any experience or tips to share on how to accomplish this in CI?

Thanks in advance for any thoughts you have to share.

Jess

El Forum

[eluser]vitoco[/eluser]
I think that the best way ( most secure, but maybe not the most quick way ) to restrict access will be with custom routes, listing first the allowed urls, and later routing everything else to 404

Code:
$route['first/path/with/apis/(:any)'] = "first/path/with/apis/$1";
$route['second/path/with/apis/(:any)'] = "second/path/with/apis/$1";
$route['(:any)'] = "404";

Also if you want to check if it's a mobile client, with a post_controller_constructor hook you can do that, but it's not very secure because you can mimic the user_agent.

Code:
// IN post_controller_constructor HOOK
// ENABLE user_agent lib in config/autoload.php
$CI = & get_instance();
if( ! $CI->agent->is_mobile() )
{
    show404();
}

Saludos

El Forum

[eluser]Aken[/eluser]
First, I would use .htaccess instead of routes to "disable" the website. If you're still developing it, then you'll obviously need access to it with proper credentials, instead of just throwing a 404 all the time.

Second, how exactly are clients accessing the API? Standard HTTP? Ajax requests only?

If the API is accessible like most RESTful API's, then I would leave access open to it, and only restrict based on any standards your API has (do they need an API key or other credentials?). If the API is only called through Ajax, then you can use the $this->input->is_ajax_request() function to filter (note - not entirely reliable - I'd stick with RESTful for an API, anyway).

Blocking access to parts depends on your app - if you're talking about blocking the website portion of it, then using .htaccess or even a server-side authorization should be plenty sufficient.

El Forum

[eluser]jessejimz[/eluser]
Vitoco, Aken,

Thanks so much for taking the time to ponder my challenge. Both suggestions are awesome and will explore both. For the benefit of others, I'll post here what I end up implementing.

Calurosos Saludos,

Jesse