3. Add `@access protected` comment to the class to protect all methods of that class In order to provide access to those protected methods we use a class that implements `iAuthenticate`. Also note that An Authentication class is also an API class so all public methods that does not begin with `_` will be exposed as API for example [SimpleAuth::key](simpleauth/key). It can be used to create login/logout methods. Example 1: GET restricted returns { "error": { "code": 401, "message": "Unauthorized" } } Example 2: GET restricted?key=rEsTlEr2 returns "protected method" Example 3: GET secured?key=rEsTlEr2 returns "protected class" */ require_once '../../../vendor/restler.php'; use Luracast\Restler\Restler; $r = new Restler(); $r->addAPIClass('Simple', ''); //map it to root $r->addAPIClass('Secured'); $r->addAuthenticationClass('SimpleAuth'); $r->handle();
> **Note:-** > > 1. Using session variables as DB and Cache is useless for real life and wrong. We are using it > Only for demo purpose. Since API Explorer is browser based it works well with that. > > 2. We are using Author.php to document return type of `GET authors/{id}` using `@return` comment If you have hit the API Rate Limit or screwed up the Authors DB, you can easily reset by deleting PHP_SESSION cookie using the Developer Tools in your browser. Helpers: Author Footer: *[Author.php]: _009_rate_limiting/Author.php */ use Luracast\Restler\Defaults; use Luracast\Restler\Filter\RateLimit; use Luracast\Restler\Restler; require_once '../../../vendor/restler.php'; //reuse the SessionDB from CRUD Example require_once '../_007_crud/DB/Session.php'; //used only for demo, comment the following line Defaults::$cacheClass = 'SessionCache'; //set extreme value for quick testing RateLimit::setLimit('hour', 10); $r = new Restler(); $r->addAPIClass('ratelimited\\Authors'); $r->addAPIClass('Resources'); $r->addFilterClass('RateLimit'); $r->addAuthenticationClass('KeyAuth'); $r->handle();
@format HtmlFormat @view oauth2/server/authorize.twig The @view and @format comments above the `authorize` method will serve the date through right template(view) file out to the user. Following a user granting authorization, the server will use the client application's *callback* function to pass back an access token. ### Authentication ### For any Restler resources which require authentication, the OAuth server will use the 'code' *query parameter* and compare that to it's internal records to validate that the user has the appropriate permissions. > **Note:-** > there is an optional parameter on the server that allows the Access Token to be passed as a header variable instead of > a query parameter. ## In Conclusion ## Many people are experientially familiar with OAuth clients either as a user who has granted apps permissions or as a developer who has downloaded one of many OAuth clients to get at social data from sources like Twitter, Facebook, Foursquare, etc. The server side of the interaction is less familiar yet it needs to be the primary focus for any RESTful API that imagines itself as having data of which other applications would benefit from having access to your data. Brett Shaffers's [OAuth2 Server ](http://bshaffer.github.io/oauth2-server-php-docs/) solution focuses on the server side of the interaction but provides both client and server components and both are now readily available to Restler customers who want to offer or connect-into the world of OAuth2. */ require_once "../../../vendor/restler.php"; use Luracast\Restler\Restler; $r = new Restler(); $r->addAuthenticationClass('Auth\\Server', ''); $r->setOverridingFormats('JsonFormat', 'HtmlFormat', 'UploadFormat'); $r->handle();
<?php /* Title: Access Control Tagline: Who can do what Tags: access-control, acl, secure, authentication, authorization Requires: PHP >= 5.3 Description: This example shows how you can extend the authentication system to create a robust access control system. As a added bonus we also restrict api documentation based on the same. When the `api_key` is - blank you will see the public api - `12345` you will see the api that is accessible by an user - `67890` you will see all api as you have the admin rights Try it out yourself [here](explorer/index.html#!/v1) */ require_once '../../../vendor/restler.php'; use Luracast\Restler\Restler; $r = new Restler(); $r->addAPIClass('Access', ''); $r->addAPIClass('Resources'); $r->addAuthenticationClass('AccessControl'); $r->handle();
@format HtmlFormat @view oauth2/server/authorize.twig The @view and @format comments above the `authorize` method will serve the date through right template(view) file out to the user. Following a user granting authorization, the server will use the client application's *callback* function to pass back an access token. ###Authentication### For any Restler resources which require authentication, the OAuth server will use the 'code' *query parameter* and compare that to it's internal records to validate that the user has the appropriate permissions. > **Note:-** > there is an optional parameter on the server that allows the Access Token to be passed as a header variable instead of a > query parameter. ## In Conclusion ## Many people are experientially familiar with OAuth clients either as a user who has granted apps permissions or as a developer who has downloaded one of many OAuth clients to get at social data from sources like Twitter, Facebook, Foursquare, etc. The server side of the interaction is less familiar yet it needs to be the primary focus for any RESTful API that imagines itself as having data of which other applications would benefit from having access to your data. Brett Shaffers's [OAuth2 Server ](http://bshaffer.github.io/oauth2-server-php-docs/) solution focuses on the server side of the interaction but provides both client and server components and both are now readily available to Restler customers who want to offer or connect-into the world of OAuth2. */ require_once "../../../vendor/restler.php"; require_once "OAuth2/Server.php"; use Luracast\Restler\Restler; use OAuth2\Server; $r = new Restler(); $r->addAuthenticationClass('OAuth2\\Server', ''); $r->setOverridingFormats('JsonFormat', 'HtmlFormat', 'UploadFormat'); $r->handle();