So, this is the first time that I am trying to implement auth in my API. I already had an existing authentication system - Cartalyst Sentinel 2.0 and now to add auth I am using JWT. What I have done is :
Send a token to the client end at the time of login.
Replaced the existing authentication sentinel middleware with a new middleware that does both authentication and authorization.
Original Middleware :
$authenticateForLogin = function ($app, $user) {
return function () use ($app, $user) {
if ( Sentinel::check() === false ) {
$app->response()->status(401);
$app->stop();
}
};
};
New Middleware :
$checkForAuthorization = function ($app, $user) {
return function () use ($app, $user) {
if ( Sentinel::check() === false ) {
$app->response()->status(401);
$app->stop();
} else {
$authHeader = apache_request_headers()["Authorization"];
if ($authHeader) {
$jwt = str_replace("Authorization: Bearer ", "", $authHeader);
if ($jwt) {
try {
$secretKey = base64_decode(getDbConfig()["AUTH_SECRET"]);
$token = JWT::decode($jwt, $secretKey, array('HS512'));
header('Content-type: application/json');
echo json_encode([
'message' => "Auth Test Successful"
]);
} catch (Exception $e) {
//some action
}
} else {
//some action
}
} else {
//some action
}
}
};
};
So my questions are -
Is this the right approach ? I am under the impression that authentication and authorization are two separate processes. Are there any security flaws to this ?
Sentinel authentication is cookies, session based system. So is it good to use something like JWT on the top of it ? Or should I do authentication also using JWT (don't know how yet) ?
I have lot of doubts regarding Auth/JWT. But these come first.
