I am creating a basic API using Basic Auth over SSL. The API will be used in a mobile application and allow the creation of an account, with other fairly basic features.
I have decided to hard-code a API key into the mobile application to pass to the API to make it a bit harder for a hacker to access parts of the API that don't require a login (basic auth). Based on what I've read, the API key should be stored in the Authorization header in the HTTP request.
Authorization header:
Key ~@3o42jf!34vm3.!
My PHP API then readers the header and ensures that the key is correct. If it is, basic elements of the API are available.
The problem comes when trying to perform a task that requires a login to be passed to the API. My Authorization header then looks like this:
Key ~@3o42jf!34vm3.! Basic c3RhY2tAZ21haWwuY29tOnRlc3RpbmcxMjM=
The API can still read the key, but the email/password string that I access with $_SERVER['PHP_AUTH_USER']
and $_SERVER['PHP_AUTH_PW']
are now not set. Is the only way to get around this to read the header manually through apache_request_headers()
?