Making Apigility usable for logged in users only, with Zend Framework 2

Question

How can I use the authentication of the Apigility API to make it secure for logged in users only?

Right now all I do when user logs in, is create session (common).

I need to do more, I need to somehow authorize him to the API as well and block everyone else (none logged)

I'm kinda new to ZF2 and Apigility so please do the dummy talk.

I did read about Apigility Auth2 and rather not use this.

I need something simpler, for example when you log in to facebook you can then "allow" other apps to use your facebook account without having to relog, same should be for the api.

Answer 1

You need the OAuth Module,

https://apigility.org/documentation/auth/authentication-oauth2#browser-based-applications

The workflow is like the facebook,

You have to send user to a url of OAuth Module, user will allow or deny the request of access data and the app will redirect to your page with a token to access the API.

If the front-end and api is from the same developer, you can use a most simple way with username and password.

https://apigility.org/documentation/auth/authentication-oauth2#username-and-password-access

In this workflow, the user will pass the username and password in your front application.

Your frontend will send a request to API with this data and will receive a access token.

This approach is recommend when the API and Front is of the same developer or a trusted developer.

Answer 2

I would recommend ZF-Campus - ZF MVC Auth for that. It is a module for Apigility which does exactly that. It is an Acl with limited functionality, it only checks if users are authenticated and if they are allowed to do a certain request (method on controller). You can also configure permissions for unauthenticated users (Guests).

Check the repository here.