This video walks through various authentication schemes and discuss some tradeoffs for different implementations.
- [Instructor] In this chapter we're going to tackle our first real design choice, authentication. At first glance, authentication seems easy. After all, you've probably built it a hundred times. You ask for a username and password, check those credentials against a user table in your database, and grant access if there's a match. It's really not a challenge, is it? And that's where we start running into problems. Do we really want to embed our username and password into the app using our API? What happens if that app is compromised? Is my sensitive information at risk? Or alternatively, what happens when we forget that password and reset it? Does our app stop working? Let's take a step back.
The authentication space is big and complex. There are options that require back-and-forth between client applications and the server, there are options that are one-time-use, and therefore, the consequences of the app being compromised are relatively small. But throughout all of this, remember one key aspect, don't create your own protocol. There is absolutely no reason to create your own protocol or encryption scheme. Even the leading experts don't build their own and instead opt for one of the standards.
There are two huge benefits to using a standard. First, there is tooling to support it. Things like Postman and Runscope already have options built in so your life is immediately easier. A second benefit is much more important. More people have tried to defeat it. If you use a system like Oauth, you can have confidence that thousands of people have tried to break it, the maintainers have improved and adapted the protocol, and thousands more people have tried to break it again. It does not mean it's perfect or unbeatable, but it does mean that all reasonable attacks have been tried, hundreds or even thousands of times, probably in more variations than you and I could imagine.
Can you say the same for your personal protocol? These and other problems hint to us that our understanding of how to approach authentication isn't complete. With that in mind, let's talk about some better approaches, and some of their trade-offs.
This course begins with a simple application specification and builds it one step at a time. Each chapter includes a key concept, with examples from other public APIs, and then shows how to build it yourself with Slim. Learn about URL routing, validating input, and generating response codes and hypermedia payloads. Like any project, the first implementation may be a little messy but don't worry. The last chapter covers refactoring and what it takes to scale and support the API going forward.
- Understanding the project goals
- Setting up the database
- Adding authentication in Slim
- Using cross-framework and authentication middleware
- Creating a read-write API in Slim
- Uploading files via the API
- Adding file security
- Creating payloads and response codes in Slim
- Scaling your API