I am building an API in Yii 1.x which will be used with a mobile application. Part of the process involves a login (with a username and password) using the following JSON reques
Focus a solution which provides all the good (RESTful) auth stuff at once, which probably will be:
Hint: Personal user data should be allways encrypted!
Above you can see the standard information about security interfaces. To ensure lasting security you can try it like in the next part. I'am not sure about your AppSidePersitence. Maybe its sqlLite or something like that. That's why I don't indicate a code-based DB-Schema, like I did it to Yii. You will need a storage/persistence inside your Yii application (backend) and also inside your app (client) to store times and tokens.
Your YiiDBModel
-- -----------------------------------------------------
-- Table `mydb`.`user`
-- -----------------------------------------------------
CREATE TABLE IF NOT EXISTS `mydb`.`user` (
`id` INT NOT NULL,
`username` VARCHAR(255) NOT NULL,
`password` VARCHAR(255) NOT NULL,
`lastLogin` DATETIME NULL,
`modified` DATETIME NULL,
`created` DATETIME NULL,
PRIMARY KEY (`id`))
ENGINE = InnoDB;
----------------------------------------------------
-- Table `mydb`.`authToken`
-- -----------------------------------------------------
CREATE TABLE IF NOT EXISTS `mydb`.`authToken` (
`id` INT NOT NULL,
`userId` INT NOT NULL,
`token` VARCHAR(255) NOT NULL,
`created` DATETIME NOT NULL,
PRIMARY KEY (`id`, `userId`),
INDEX `fk_authToken_user_idx` (`userId` ASC),
UNIQUE INDEX `token_UNIQUE` (`token` ASC),
CONSTRAINT `fk_authToken_user`
FOREIGN KEY (`userId`)
REFERENCES `mydb`.`user` (`id`)
ON DELETE NO ACTION
ON UPDATE NO ACTION)
ENGINE = InnoDB;
Your AppPersitenceModel
Handling your token right and ensure login security
Once the user-login was validated as "success" by Yii you generate a new user-token with current timestamp, which will be stored in your YiiApp-DB. In your YiiApp you need to configured a "expire time", which will be added to the current timestamp, for example, if you like to use "timestamps": Current timestamp is: 1408109484
and your expire time is set to 3600
(which is 3600 sec = 1h). So ... your expire datetime which will be send via API is (1408109484+3600)
. Btw. Hint: You don't need to send attributes like "code": 200
. Response-Codes are included in your Requests/Response-Header-Data.
** 200 OK Response-Example, after user-login was successful, holds the calculated "expired"-date:**
{
"error": null,
"content": {
"expires": 1408109484,
"token": "633uq4t0qdtd1mdllnv2h1vs32"
}
}
Important: Every requests which you want to be secured, needs to be send with your generated User-"token". Which will probably stored in your deviceStorage. You can handle your "login-states"- really RESTful if you using HTTP-Response-Codes right, for example, 200 OK (if all is fine) or 401 (not authorized, user is not loged in or session is expired). You need to validate your User-Request's on Yii side. Read out the token from incoming requests, validate it due to given tokens in database and compare "created"-DB with the current incoming Request-Time (HTTP-Requests).
** Request-Example, default schema on any security requests:**
{
"token": "633uq4t0qdtd1mdllnv2h1vs32"
"content": {
"someDataYouNeed" : null
}
}
** 401 Unauthorized Response-Example, token expired :**
{
"error": 1, // errorCode 1: token is expired
"content": {
"someDataYouNeed" : null
}
}
** 401 Unauthorized Response-Example, user is not logged in (no token exists in YiiDB):**
{
"error": 2, // errorCode 2: user is not logged in
"content": {
"someDataYouNeed" : null
}
}
Keep a User-Session alive? That's pretty easy. Just update "created"-Date in authToken
-Table to the current request time. Do that every time, a valid request was send by the user. In that way, the session will not expire, if the user is still active. Ensure, your DB-Token is not expired, before updating expires
-Date field in DB. If no request be send while the session expires, the keep alive won't be possible anymore.
Sorry, but adding PHP-Codes would be too much.