Clever Geek Handbook

PHP / MYSQL API Key Function

A quick question about API Keys with PHP / MYSQL. I have been reading a lot over the past few days, but I only need to clarify and revise some of the guidelines as I am only new to HTML, JS, JQUERY, PHP / MYSQL.

My server side code is PHP which connects to MYSQL database. The database has a table users

that stores the columns, such as id

, username

, password

(which uses parol_hash () through PHP5, so it does not preserve the value of the plaintext) and api_key

. I will also consider adding some, such as last_seen

and last_login

for further security.

I would like the API key to be used to authenticate the user to access resources on the server (for example, parseID.php, which takes POST arguments to return the JSON result to an ID that the user enters). The user can use this API key in the script and also to access the JSON output if needed.

My thinking process:

  • Already registered user clicks a button to generate an API key.
  • The script generates an API key (using password_hash ()) and stores it against the user id in the database
  • When a user wants to access a protected resource, he will provide the given API key in GET / POST (or saved in the session ??), which will try to match it with that in the database and return the result (Auth VS Not Auth).
  • When authenticated, the User can access the resource.

I also use SSL to encrypt traffic between a user / resource.

I'm a bit unclear and wondering what other steps / best practices can be taken here to ensure that the API key and user information are safe?

All the information I've searched here and on google is several years old and uses techniques like MD5 to encrypt keys.

Thank!

+3


source to share


1 answer


This is correct - the API key is assigned to the user, and passing the API requires passing the API in order to authenticate the user and check what they can do.

Some changes I suggest:

Already registered user clicks a button to generate an API key.

If a user can only have one API key, it will be easier for you and users to generate an API key when creating an account and make it available in the profile / settings area (i.e. make it one -one, not one-to-zero- one). The only reason you want to generate it on demand is to give you an explicit permission, eg. through some moderation process.

In any case, you will also want to provide users with a reset API key (mainly in case of a possible leak).



By the way, the more common pattern is to support multiple API keys. for example, if you look at the Twitter developer dashboard, a user can create N "applications" and each application will automatically receive its own API key. There are some advantages to this approach, eg. you can collect metadata by application, API keys are separated (improved security), resolving models can be different for each application, and you can cancel one application without affecting all uses. Anything that might be too big for you.

stored in session

Session is more of a web concept related to passing cookies back and forth. You don't need this complication. It should be simple enough to require an API key in every request path.

When a user wants to access a protected resource

You can also require an API key on every request, not just for protected resources. It should be just as easy for the user anyway, and it will allow you to do things like rate limits and log requests for each user.

+2


source






More articles:


All Articles