[ivolovikov]

Hi,

I want to introduce Yii RESTful API extension, which was written for our project.

Key Features

• integration in existing project - you can use single action to display html page or returning API response
  
• model render rule - rule can be simply added to default rules list
  
• support application and model errors render
  
• support auth adapters - defult is HTTP Basic Auth
  
• support renderer adapters - defult is JSON and XML

GitHub repo: https://github.com/paysio/yii-rest-api
Smail docs: https://github.com/p...aster/README.md

I'll be glad to answer to all of yours questions!

[PrplHaz4]

Are there any examples of this extension implemented with the token auth scheme described below? Or perhaps an example of an auth adapter?
http://docs.amazonwe...QueryStringAuth

[ivolovikov]

PrplHaz4, on 16 October 2012 - 01:14 PM, said:

Are there any examples of this extension implemented with the token auth scheme described below? Or perhaps an example of an auth adapter?

Extension have one default Auth adapter, which can be rewrited or extended - https://github.com/p...pters/Basic.php

Your auth scheme can use adapter something like this

namespace rest\service\auth\adapters;

use rest\service\auth\AdapterInterface;

class AccessKey implements AdapterInterface
{
    /**
     * @var string
     */
    public $identityClass = 'application.components.UserIdentity';

    /**
     * @throws \CHttpException
     */
    public function authenticate()
    {
        if (!isset($_GET['AccessKeyId']) || !($key = $_GET['AccessKeyId'])) {
            throw new \CHttpException(401, \Yii::t('ext', 'Undefined AccessKeyId'));
        }
        if (!isset($_GET['Expires']) || !($expires = $_GET['Expires'])) {
            throw new \CHttpException(401, \Yii::t('ext', 'Undefined Expires'));
        }
        if (!isset($_GET['Signature']) || !($sign = $_GET['Signature'])) {
            throw new \CHttpException(401, \Yii::t('ext', 'Undefined Signature'));
        }

        $user = $this->getUserByAccessKey($key); // some logic matching user by AccessKeyId
        if (!$user) {
            throw new \CHttpException(401, \Yii::t('ext', 'AccessKeyId not found'));
        }
        
        $secretKey = $user->secretAccessKeyID; // user should have own secretAccessKeyID
        $validSign = sha1($secretKey . '.' . $_SERVER['REQUEST_URI'] . '.' .  $expires); // it's not AWS algo - just for example
        if ($sign != $validSign) {
            throw new \CHttpException(401, \Yii::t('ext', 'Wrong Signature'));
        }
        
        if ($expires > time()) {
            throw new \CHttpException(401, \Yii::t('ext', 'AccessKeyId Expired'));
        }

        // Authenticate \Yii::app()->user
        $identityClass = \Yii::import($this->identityClass);
        $identity = new $identityClass($user->name, $user->password);
        $identity->authenticate();
        \Yii::app()->user->login($identity);
    }

    public function getUserByAccessKey($key)
    {
        // not implemented
    }
}

Be careful, it's is just simple example! I'm not tested it.
Method getUserByAccessKey and user object not written, because it is the implementation details.

Thank you for your interest, I hope I was able to help.

[rpagyc]

Hi, thanks for great extension. I'd like to know if it's possible to control the auth process. may I exclude authentication for user creation for example? auth is done in Service onBeginRequest, so for each request user/pass should be sent.