9

I am building a RESTful api with laravel using the RESTful controller property. So far i've been able to get most of it working. The issue am having now is authenication, am trying to use Amazon approach using a "user_id" and "signature". Am creating the signature using php's 'hash_hmac()'.

this an example api controller

class Api_Tasks_Controller extends Api_Controller {

    public $restful = true;

    public function get_index($id = null) {

        $this->verfiy_request();

        if(!is_null($id))
        {
            return Response::json(array("tasks"=>"just one"),200);
        }
        else
        {
            return Response::json(array("tasks"=>"everthing"),200);
        }
    }


}

and this the api controller class

class Api_Controller extends Controller {

    public function verify_request() {

        //user id
        $user_id = (int) Input::get('user_id');
        //signature
        $sig = Input::get('sig');

        //Lookup user
        $user = Sentry::user($user_id);
        if($user) {
            //user email
            $email = $user->email;
            //user api key
            $api_key = $user->metadata['api_key'];
            //recreate signature
            $_sig = hash_hmac("sha256",$email.$user_id,$api_key);
            if($_sig === $sig) {
                return Response::json(array("message"=>"Request Ok"),200);
            }
            else {
                return Response::json(array("message"=>"Request Bad"),400);
            }
        }
        else {

            return Response::json(array("message"=>"Request not authorized"),401);
        }
    }

Making a get request http://api.xyz.com/v1/tasks/1?user_id=1&sig=41295da38eadfa56189b041a022c6ae0fdcbcd5e65c83f0e9aa0e6fbae666cd8 always returns a successful message even when i alter the value of the user_id parameter which should void the signature an make the request invalid. It seems my verfiy_request method is not executing. Please help me out

Improve this question

2 Answers 2

Reset to default
10

I have also been researching this recently and would also recommend going with filters. It could work something like this:

class Api_Tasks_Controller extends Base_Controller {

    public $restful = true;

    function __construct() {
        // Check if user is authorized
        $this->filter('before', 'api_checkauth');
    }

    // rest of the class ....

}

And in your routes.php file:

Route::filter('api_checkauth', function()
{
  //user id
  $user_id = (int) Input::get('user_id');

  //signature
  $sig = Input::get('sig');

  try {
    //Lookup user
    $user = Sentry::user($user_id);

    if($user) {
      //user email
      $email = $user->email;
      //user api key
      $api_key = $user->metadata['api_key'];
      //recreate signature
      $_sig = hash_hmac("sha256",$email.$user_id,$api_key);
      if($_sig === $sig) {
          return Response::json(array("message"=>"Request Ok"),200);
      }
      else {
          return Response::json(array("message"=>"Request Bad"),400);
      }
    }
    else {
      return Response::json(array("message"=>"Request not authorized"),401);
    }
  }
  catch (Sentry\SentryException $e) {
    $errors = $e->getMessage(); // catch errors such as user not existing or bad fields
    return Response::json(array("message"=>$errors),404);
  }

});

Also, thanks for introducing me to Sentry :-)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

You are sending $sig and $userId in request itself. Don't you think any one can sniff these parameters and authenticate himself on your behalf ??
Great question! And yes you are correct that these elements can be intercepted. I think Amazon uses some sort of method to expire the URL after a period of time for this reason. I wasn't necessarily trying to scrutinize this person's choice of authentication, but rather show how to use filters in Laravel.
2

It's a quick guess, I didn't try but maybe you might want to try to add a return statement before calling verify_request.

And you should look into filters which will allow you to separate more your api logic and api authentication ;-)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.