CodeIgniter Forums
Restrict access to dev web app but allow JSON requests - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Restrict access to dev web app but allow JSON requests (/thread-52922.html)



Restrict access to dev web app but allow JSON requests - El Forum - 07-02-2012

[eluser]jessejimz[/eluser]
Hi, CI world,

I've been developing on CI for a couple of years now. Most recently, I've been working on a web app that also exposes JSON apis to mobile clients. My goal is to block/restrict access to all views in my app but keep JSON apis open.

In other words, visitors should not be able to see our app on our dev server. But mobile clients should still be able to connect to our JSON apis.

Any one have any experience or tips to share on how to accomplish this in CI?

Thanks in advance for any thoughts you have to share.

Jess


Restrict access to dev web app but allow JSON requests - El Forum - 07-03-2012

[eluser]vitoco[/eluser]
I think that the best way ( most secure, but maybe not the most quick way ) to restrict access will be with custom routes, listing first the allowed urls, and later routing everything else to 404

Code:
$route['first/path/with/apis/(:any)'] = "first/path/with/apis/$1";
$route['second/path/with/apis/(:any)'] = "second/path/with/apis/$1";
$route['(:any)'] = "404";

Also if you want to check if it's a mobile client, with a post_controller_constructor hook you can do that, but it's not very secure because you can mimic the user_agent.

Code:
// IN post_controller_constructor HOOK
// ENABLE user_agent lib in config/autoload.php
$CI = & get_instance();
if( ! $CI->agent->is_mobile() )
{
    show404();
}

Saludos


Restrict access to dev web app but allow JSON requests - El Forum - 07-03-2012

[eluser]Aken[/eluser]
First, I would use .htaccess instead of routes to "disable" the website. If you're still developing it, then you'll obviously need access to it with proper credentials, instead of just throwing a 404 all the time.

Second, how exactly are clients accessing the API? Standard HTTP? Ajax requests only?

If the API is accessible like most RESTful API's, then I would leave access open to it, and only restrict based on any standards your API has (do they need an API key or other credentials?). If the API is only called through Ajax, then you can use the $this->input->is_ajax_request() function to filter (note - not entirely reliable - I'd stick with RESTful for an API, anyway).

Blocking access to parts depends on your app - if you're talking about blocking the website portion of it, then using .htaccess or even a server-side authorization should be plenty sufficient.


Restrict access to dev web app but allow JSON requests - El Forum - 07-05-2012

[eluser]jessejimz[/eluser]
Vitoco, Aken,

Thanks so much for taking the time to ponder my challenge. Both suggestions are awesome and will explore both. For the benefit of others, I'll post here what I end up implementing.

Calurosos Saludos,

Jesse