Implementing an RESTful API Authentication using tokens (Yii/Yii2)
Asked 07 September, 2021
Viewed 1.6K times
  • 64
Votes

I am building an API in Yii 1.x which will be used with a mobile application. Part of the process involves a login (with a username and password) using the following JSON request below:-

// Request sent with username & password

{
"request" : {
    "model" : {
        "username" : "bobbysmith",
        "password" : "mystrongpassword"
    }
  }
}

// If successfully logged in return the following response

{
"response": {
    "code": 200,
    "message": "OK",
    "model": {
        "timestamp": 1408109484,
        "token": "633uq4t0qdtd1mdllnv2h1vs32"
    }
 }
}

This token is quite important - once a user is logged in on the app I'd like them to have access to other pages that require them to be logged in. I want the mobile app to store this token & if the same 633uq4t0qdtd1mdllnv2h1vs32 token is found within any subsequent requests it will accept this as being an authenticated request (for this user 'bobbysmith').

I am a little unsure of how to best go about doing this, I have done some research and can oAuth has been mentioned a few times, along with Basic Authentication via HTTPS.

So in a nutshell this...

  1. On mobile app homepage, user logs in correctly with their username & password & this sends a request to the API.
  2. This returns a successful response (shown above) with the current timestamp & the all important token.
  3. The same user goes to another app page/view where this token is a) required and b) if it matches up this authenticates that user (e.g so they can edit that account etc..)
  4. Once user clicks 'Logout' this token is then removed (and can longer access My Account etc..) - essentially a token based authentication system.

Can anyone possibly explain the best way to achieve this? Please let me know if what I have stated isn't 100% clear and i'll provide more information.

While I am using PHP, a Yii 1.x solution is ideal as that is what the current API is built using.

In a nutshell, the app ensures that every request to server includes token in the payload or header so this token can be retrieved on every subsequent post, once logged out this token is simply removed OR set to null/empty

3 Answer