3. Add `@access protected` comment to the class to protect all methods of that
class
In order to provide access to those protected methods we use a class that
implements `iAuthenticate`. Also note that An Authentication class is also an
API class so all public methods that does not begin with `_` will be exposed as
API for example [SimpleAuth::key](simpleauth/key). It can be used to create
login/logout methods.
Example 1: GET restricted returns
{
"error": {
"code": 401,
"message": "Unauthorized"
}
}
Example 2: GET restricted?key=rEsTlEr2 returns "protected method"
Example 3: GET secured?key=rEsTlEr2 returns "protected class"
*/
require_once '../../../vendor/restler.php';
use Luracast\Restler\Restler;
$r = new Restler();
$r->addAPIClass('Simple', '');
//map it to root
$r->addAPIClass('Secured');
$r->addAuthenticationClass('SimpleAuth');
$r->handle();
> **Note:-**
>
> 1. Using session variables as DB and Cache is useless for real life and wrong. We are using it
> Only for demo purpose. Since API Explorer is browser based it works well with that.
>
> 2. We are using Author.php to document return type of `GET authors/{id}` using `@return` comment
If you have hit the API Rate Limit or screwed up the Authors DB, you can easily reset by deleting
PHP_SESSION cookie using the Developer Tools in your browser.
Helpers: Author
Footer:
*[Author.php]: _009_rate_limiting/Author.php
*/
use Luracast\Restler\Defaults;
use Luracast\Restler\Filter\RateLimit;
use Luracast\Restler\Restler;
require_once '../../../vendor/restler.php';
//reuse the SessionDB from CRUD Example
require_once '../_007_crud/DB/Session.php';
//used only for demo, comment the following line
Defaults::$cacheClass = 'SessionCache';
//set extreme value for quick testing
RateLimit::setLimit('hour', 10);
$r = new Restler();
$r->addAPIClass('ratelimited\\Authors');
$r->addAPIClass('Resources');
$r->addFilterClass('RateLimit');
$r->addAuthenticationClass('KeyAuth');
$r->handle();
@format HtmlFormat
@view oauth2/server/authorize.twig
The @view and @format comments above the `authorize` method will serve the date through right template(view) file out to
the user. Following a user granting authorization, the server will use the client application's *callback* function to
pass back an access token.
### Authentication ###
For any Restler resources which require authentication, the OAuth server will use the 'code' *query parameter* and
compare that to it's internal records to validate that the user has the appropriate permissions.
> **Note:-**
> there is an optional parameter on the server that allows the Access Token to be passed as a header variable instead of
> a query parameter.
## In Conclusion ##
Many people are experientially familiar with OAuth clients either as a user who has granted apps permissions or
as a developer who has downloaded one of many OAuth clients to get at social data from sources like Twitter, Facebook,
Foursquare, etc. The server side of the interaction is less familiar yet it needs to be the primary focus for any
RESTful API that imagines itself as having data of which other applications would benefit from having access to your
data. Brett Shaffers's [OAuth2 Server ](http://bshaffer.github.io/oauth2-server-php-docs/) solution focuses on the
server side of the interaction but provides both client and server components and both are now readily available to
Restler customers who want to offer or connect-into the world of OAuth2.
*/
require_once "../../../vendor/restler.php";
use Luracast\Restler\Restler;
$r = new Restler();
$r->addAuthenticationClass('Auth\\Server', '');
$r->setOverridingFormats('JsonFormat', 'HtmlFormat', 'UploadFormat');
$r->handle();
<?php
/*
Title: Access Control
Tagline: Who can do what
Tags: access-control, acl, secure, authentication, authorization
Requires: PHP >= 5.3
Description:
This example shows how you can extend the authentication system to create
a robust access control system. As a added bonus we also restrict api
documentation based on the same.
When the `api_key` is
- blank you will see the public api
- `12345` you will see the api that is accessible by an user
- `67890` you will see all api as you have the admin rights
Try it out yourself [here](explorer/index.html#!/v1)
*/
require_once '../../../vendor/restler.php';
use Luracast\Restler\Restler;
$r = new Restler();
$r->addAPIClass('Access', '');
$r->addAPIClass('Resources');
$r->addAuthenticationClass('AccessControl');
$r->handle();
@format HtmlFormat
@view oauth2/server/authorize.twig
The @view and @format comments above the `authorize` method will serve the date through right template(view) file out to the user. Following a user
granting authorization, the server will use the client application's *callback* function to pass back an access token.
###Authentication###
For any Restler resources which require authentication, the OAuth server will use the 'code' *query parameter* and compare that to
it's internal records to validate that the user has the appropriate permissions.
> **Note:-**
> there is an optional parameter on the server that allows the Access Token to be passed as a header variable instead of a
> query parameter.
## In Conclusion ##
Many people are experientially familiar with OAuth clients either as a user who has granted apps permissions or
as a developer who has downloaded one of many OAuth clients to get at social data from sources like Twitter, Facebook, Foursquare, etc.
The server side of the interaction is less familiar yet it needs to be the primary focus for any RESTful API that imagines itself
as having data of which other applications would benefit from having access to your data. Brett Shaffers's
[OAuth2 Server ](http://bshaffer.github.io/oauth2-server-php-docs/) solution focuses on the server side of the interaction
but provides both client and server components and both are now readily available to Restler customers who want to offer or connect-into
the world of OAuth2.
*/
require_once "../../../vendor/restler.php";
require_once "OAuth2/Server.php";
use Luracast\Restler\Restler;
use OAuth2\Server;
$r = new Restler();
$r->addAuthenticationClass('OAuth2\\Server', '');
$r->setOverridingFormats('JsonFormat', 'HtmlFormat', 'UploadFormat');
$r->handle();
