+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: User authentication (/showthread.php?tid=75705)
User authentication - Parker1090 - 03-08-2020
Hi all
Just having a play around with CI4 after using CI3 for several years.
In CI3, I had a master controller saved as one of the Core files (e.g. MY_Controller.php) which as part of the construct, checked a few details like if a user was logged in or not, and displayed the relevant errors.
So my test case with CI4 is a mini-API based app, so I love the idea of the API Response Trait.
At the moment I have all the tests in the initController function as I believe this is the best play to put it. But even when I use failUnauthorized(); for example, it still returns content from the child controller.
It's not completed - I'm just trying to nail down the authentication part at the moment. It's likely I've just misunderstood something, but any pointers appreciated!
PHP Code:
<?php namespace App\Controllers;
use CodeIgniter\API\ResponseTrait;
/**
* Controller to assist with API authentication etc.
*/
class ApiBaseController extends BaseController
{
use ResponseTrait;
/**
* Constructor.
*/
public function initController(\CodeIgniter\HTTP\RequestInterface $request, \CodeIgniter\HTTP\ResponseInterface $response, \Psr\Log\LoggerInterface $logger)
{
/** Do Not Edit This Line */
parent::initController($request, $response, $logger);
/** Is there an API Key specified? */
if(($this->request->hasHeader('X-API-Key')) && ($this->request->hasHeader('X-Application')))
{
$apiKey = $this->request->getHeader('X-API-Key');
/** Authenticate the app */
$appModel = new \App\Models\ApplicationModel();
$appData = $appModel->find(($this->request->getHeader('X-Application'))->getValue());
/** Have we found the app? */
if(!$appData)
{
return $this->failUnauthorized("Unauthorized");
}
}
else
{
$this->response
->setStatusCode(401)
->setBody('');
}
}
}
RE: User authentication - includebeer - 03-08-2020
In CI4, a filter would be the way to go: https://codeigniter4.github.io/userguide/incoming/filters.html
You can check out how Lonnie did it in Myth Auth: https://github.com/lonnieezell/myth-auth
RE: User authentication - Parker1090 - 03-13-2020
(03-08-2020, 11:34 AM)includebeer Wrote: In CI4, a filter would be the way to go: https://codeigniter4.github.io/userguide/incoming/filters.html
You can check out how Lonnie did it in Myth Auth: https://github.com/lonnieezell/myth-auth
Thanks includebeer - that's really helpful!
I notice even in the example of Myth Auth they redirect if a user isn't logged in, which is fine with a standard user login process. But how would you handle this in an API scenario? Would the case be to fail them in the filter (e.g. return 401), or would it be done elsewhere? If it's the former, what's the correct way to handle this and halt the request going any further?
Sorry for the questions, just trying to get my head around it!
RE: User authentication - includebeer - 03-14-2020
(03-13-2020, 05:45 AM)Parker1090 Wrote: But how would you handle this in an API scenario? Would the case be to fail them in the filter (e.g. return 401), or would it be done elsewhere? If it's the former, what's the correct way to handle this and halt the request going any further?
I’m not sure what’s the best way to do it, but I would fail the request in the filter. Maybe use failUnauthorized() from the API Response Trait class.
RE: User authentication - Parker1090 - 03-16-2020
That was my thought initially, but I've tried this and an exception is thrown. To me, it's the logical place to do this, but the exception is thrown by a system file:
Code:
"title": "ErrorException",
"type": "ErrorException",
"code": 500,
"message": "Undefined property: App\\Filters\\ApiBaseFilter::$response",
"file": "\\vendor\\codeigniter4\\framework\\system\\API\\ResponseTrait.php",
"line": 128,This seems to be looking for a $response in the filter, but because it's the before function, there's only a request.
I have found a workaround, but I'm wondering if this is intended behaviour? And if it is, how should the API Response Trait actually be used?