symfony2 rest api with separated client and end user security

Question

I'm building a REST API on symfony2 and I'm not sure what would be the best way to manage different security levels.

• Unauthenticated clients (apps or websites that have no permission to reach the API data) can't get (get, put, post, etc) data from the API
• Authenticated clients will be able to request some data from the API but not user related data.
• On the other hand, end users need to be logged in somehow to access some private resources from the API.

For example, api/v1/philosophies would list all the phylosophies to an authenticated client. Unregistered end users could see the list: 'idealism, realism, existencialism, ...'. But end users would need to be authorized (registered and logged) to access their favorite phylosophies through api/v1/user/{userID}/favorites.

I've been reading and testing stuff with FOSUserBundle, FOSRestBundle and FOSOAuthServerBundle but all the information i find has the users always logged in order to get the token and the whole api is protected both by client and by users.

Any idea?

Some light?

please?

Answer 1

FOSRest and FOSAuth will work fine for what you need, it just looks like you will need to change the way your access is defined in security.yml. The only reason you always have to be logged in to access resources, is because the resources are protected. If you have a resource that you want to allow anonymous access to, then make that entry in security.yml, something like this:

security:
    access_control:
        - { path: ^/api/v1/pilosophies$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/v1, roles: IS_AUTHENTICATED_FULLY }

This would make /api/v1/pilosophies accessible without logging in, but all other resources would still be protected. you can read more about this in the docs Securing specific url patterns

In the end, you are the one that decides what resources are protected or not. FOSOAuth has nothing to do with that decision.