How to secure a Lithium php RESTful API?

Question

I have created a RESTful apps using Lithium php framework and now my question is how to secure it?

Is there any existing code for OAUTH or HTTP Digest Authentication that uses lithium framework?

Answer 1

While I'm not sure what sort of security you are looking for ...

There is built in security for Lithium, you can see two short tutorials to get you going here:

• Simple Authentication in Lithium
• Creating a user in M, V, C

The basics are covered in the "Simple Authentication" tutorial ... you'll need:

• A database to keep track of you users
• Bootstrap Auth via config/bootstrap.php
• Setup Sessions & Auth adapters

Then it depends on if you are going to do authenticaion via forms, or by some other method.

The turtorials will show you how to setup a form, but you can also "secure" the route (url) that is being requested via the config/routes.php file like so ...

<?php

use lithium\net\http\Router;
use lithium\core\Environment;

use lithium\security\Auth;

// check if the user is logged in
$user = Auth::check('default'); 

// these routes are not behind a login
Router::connect('/login', 'Sessions::add');
Router::connect('/logout', 'Sessions::delete');

if ($user && $user["user"] == "admin") {

    // these two routes will only work if a user is authenticated.
    Router::connect('/{:controller}/{:action}/{:args}.{:type}');
    Router::connect('/{:controller}/{:action}/{:args}');
}

// redirect the user to a login if no other routes match
Router::connect('/{:args}', array(), function($request) { header('Location: /login/url/'.str_replace('/','*',$request->url)); exit; });

?>

Answer 2

Thanks for editing your question to actually ask something specific. Please see the following:

• https://github.com/search?q=li3_oauth
• http://li3.me/docs/lithium/security/auth/adapter/Http