Simple API User Authentication with PHP

Question

I am building a Bookmarking application which will act as an API so that a front-end JavaScript application can call URL endpoints and do CRUD actions on a database using a simple PHP API.

I also will have a Google Chrome Extension for adding and editing bookmarks records in my PHP app.

I know the standard is to use something like OAuth for user authentication when making requests to my API however it seems overly complex to setup and I am curious if there is some other super simple way to authenticate users making API requests.

Perhaps some sort of API access key that a user could get when they are logged into my app and then use that key to send with there API requests similar to a password.

What are my options here for authenticating API user requests?

Answer 1

There are many ways to skin this cat, but assuming your Chrome extension needs a login and password to hook up to the server endpoint (ie the user has already registered with your app on the server side), one possibility to support the following 'login' api which returns a temporary token (it could have an expiry), and then send this token in the 'Authorization' header in all your other bookmark apis.

So in curl terms:

1) Your chrome extension first 'login' the user:

curl -u <user login id>:<user password> https://my-bookmark.com/api/v1/login

Note in this case, the user's login and password are sent base-64 encoded over https (secure) line, and it needs to validate the user. It sends it via 'Authorization' header using 'Basic-Auth' mechanism.

If successful, you send back a 200 response with a json payload containing the temporary token and some expiry time in seconds -eg:

{
  user_id: 12345,    // Some unique user id
  session_token: "azxvehft......."  // some long base-64 encoded value
  expires_in : 28800 // number of seconds the token is valid - say 8 hours

  // Any other useful user profile or metadata

  .
  .
}

The key thing is how you generate the token on the server side. For example, you could do:

session_token = base64_encode( aes_encrypt(some_secret_key, user_login_time) )

The idea is that on subsequent API calls, you will pass with token in the 'Authorization' header which you can decrypt using the same secret key, and compare the 'login timestamp' against the user's data.

You could just keep track of tokens in some transient store to compare it directly but it is has to be cryptographically strong pseudorandom number generator.

Also you could use the user's one-way password hash as the secret key for the encryption above.

2) Using the token from step 1 to to some bookmark api

curl -H "Authorization: MyBookmark <user_id>:<session_token>" https://my-bookmark.com/api/v1/list

Here I am assuming there is a 'list' api and you are retrieving a list of bookmarks belonging to the user (HTTP GET).

As it can be seen, the GET call here includes the 'Authorization' header with a custom auth-scheme (declared here to be 'MyBookmark'), and you are passing the user id and the token received from the login API response.

Before serving this request, the server must validate the token in some fashion for the given user id as mentioned earlier. As it is an encrypted token using a secret key, any attempt to tamper with the token could result in a failure in the decryption step which could be detected.

You could cache the token using the exipry time given, and once expired, force the user to re-login.

Additionally if you could give the option to the user to save their password (probably not desirable) to avoid re-login by silently fetching a new token once it expires.

Hope this helps.