I am building a PHP Api that will allow a mobile app to talk to it. The app is more of a tech demo at the moment to test technology and ideas.
To secure the app requests, certain things will need authentication.
So let's take the following for example:
$('form').submit(function(e){
e.preventDefault();
var form = $(this);
var data = form.serialize();
$.ajax({
type: 'POST',
url: form.attr('action'),
data: data,
success: function(response){
// show success message or error depending on authentication
},
error: function(a,b,c) {
}
});
});
I'm also using header('Access-Control-Allow-Origin: *');
to allow the app to talk to it, and the wildcard because it's only a test at the moment. However in a real life situation I wouldn't have a domain because it would be running from a mobile device rather than another domain (PhoneGap most probably).
I've looked around on the net and come across HTTP Authorization
but can't get my head around it no matter how many docs I read.
An example of it would be something like:
Authorization: TRUEREST username=john&password=test&apikey=247b5a2f72df375279573f2746686daa
and I've thought about passing said data like so based on what I've seen in jQuery docs:
data: {
username: 'john',
password: 'test',
apiKey: '247b5a2f72df375279573f2746686daa'
},
headers: {
Authorization: "TRUEREST"
},
I can check that the username and password exists in the DB first before sending back the JSON and also perhaps checking the Api key in the same way.. but I'm not understanding the TRUEREST part at all or what it can offer to the code?
UPDATE
I have been trying the following in my jQuery code:
headers: {
Authorization: "TRUEREST",
username: 'dave',
password: 'test',
apiKey: 'qwe123'
},
and then in my PHP:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Authorization,Content-type,username,password,apiKey');
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$headers = $_SERVER['HTTP_AUTHORIZATION'];
$parts = explode(' ', $_SERVER['HTTP_AUTHORIZATION']);
header('Content-type: application/json');
print json_encode($parts);
exit;
The returned JSON is just TRUEREST! None of the others are being seen by PHP. But if I look in the web inspector they are being sent fine. But noticed that two types of requests are being made POST and OPTIONS.
Any ideas?
I'm basing these updates on what I have read here: https://github.com/kvz/cakephp-rest-plugin/blob/master/Controller/Component/RestComponent.php#L516