Implementing an RESTful API Authentication using tokens (Yii/Yii2)

Question

I am building an API in Yii 1.x which will be used with a mobile application. Part of the process involves a login (with a username and password) using the following JSON reques

Answer 1

If you are building for a native mobile app then sensible thing would be to rely on the security of the native memory (eg the iOS keychain) and not a cookie based solution. Otherwise how you have described seems fine. As long as your payload is being sent over SSL it doesnt really matter if the token is in the PUT or the POST. Your token management (ie expiration times) are business decisions you have to make. Back end I would do as you describe and hold the token in your database and delete it when it has become defunct for whatever reasons and return a message to your client app to put it back into logged out mode/re-request credentials.

EDIT: Check out this awesome tut from the prolific Phil Sturgeon. He also has a great CI library for building RESTful API's in CI which might be worth looking at.

http://philsturgeon.uk/blog/2013/07/building-a-decent-api

http://code.tutsplus.com/tutorials/working-with-restful-services-in-codeigniter--net-8814