/api-guard

A simple way of authenticating your RESTful APIs with API keys using Laravel

Primary LanguagePHP

ApiGuard

Latest Stable Version Total Downloads

Join the chat at https://gitter.im/chrisbjr/api-guard

A simple way of authenticating your APIs with API keys using Laravel. This package uses the following libraries:

The concept for managing API keys is also taken from Phil Sturgeon's codeigniter-restserver. I've been looking for an equivalent for Laravel but did not find any so this is an implementation for that.

Laravel 5 is finally supported!

**Laravel 5.1.x to 5.2.x: ~3.*

**Laravel 5.1.x: ~2.*

**Laravel 4.2.x: ~1.* (Recently updated version for Laravel 4. Please note that there are namespace changes here)

**Laravel 4.2.x: 0.* (The version that most of you are using)

Quick start

Laravel 5.1.x to 5.2.x

Run composer require chrisbjr/api-guard 3.1.*

In your config/app.php add Chrisbjr\ApiGuard\Providers\ApiGuardServiceProvider to the end of the providers array

'providers' => array(

    ...
    Chrisbjr\ApiGuard\Providers\ApiGuardServiceProvider::class,
),

Add the ApiGuardAuth facade to the end of the aliases array as well

'aliases' => array(

    ...
    'ApiGuardAuth' => \Chrisbjr\ApiGuard\Facades\ApiGuardAuth::class,
),

Add the following middleware inside your app/Http/Kernel.php file:

protected $routeMiddleware = [
    ...
    'apiguard' => \Chrisbjr\ApiGuard\Http\Middleware\ApiGuard::class,
];

Now publish the migration and configuration files for api-guard:

$ php artisan vendor:publish --provider="Chrisbjr\ApiGuard\Providers\ApiGuardServiceProvider"

Then run the migration:

$ php artisan migrate

It will setup two tables - api_keys and api_logs.

Laravel 5.0.x to 5.1.x (old users)

Note: Documentation for use with Laravel 5.0.x and 5.1.x differs from Laravel 5.2.x. Please refer to the README here.

Laravel 4.2.x

Note: Documentation for use with Laravel 4.2.x differs from Laravel 5.0.x. Please refer to the README here. If you are using version 0.* you can find the README here

Generating your first API key

Once you're done with the required setup, you can now generate your first API key.

Run the following command to generate an API key:

php artisan api-key:generate

Generally, you will want to generate API keys for each user in your application. The api_keys table has a user_id field which you can populate for your users.

To generate an API key that is linked to a user, you can do the following:

php artisan api-key:generate --user-id=1

To generate an API key from within your application, you can use the following method in the ApiKey model:

$apiKey = Chrisbjr\ApiGuard\Models\ApiKey::make()

Usage

Basic usage of ApiGuard is to create a controller and extend that class to use the ApiGuardController.

Note: The namespace of the ApiGuardController differs from previous versions.

<?php

use Chrisbjr\ApiGuard\Http\Controllers\ApiGuardController;

class BooksController extends ApiGuardController
{

    public function all()
    {
        $books = Book::all();

        return $this->response->withCollection($books, new BookTransformer);
    }
    
    public function show($id)
    {
        try {
        
            $book = Book::findOrFail($id);
            
            return $this->response->withItem($book, new BookTransformer);
            
        } catch (ModelNotFoundException $e) {
        
            return $this->response->errorNotFound();
            
        }
    }

}

You should be able to use the api-response object by using $this->response. More examples can be found on the Github page: https://github.com/ellipsesynergie/api-response.

You can access the above controller by creating a basic route in your app/routes.php:

Route::get('api/v1/books', 'BooksController@all');
Route::get('api/v1/books/{id}', 'BooksController@show');

You will need to use your API key and put it in the header to access it. By default, the header value is using the X-Authorization parameter. You can change this in the config file.

Try calling this route using curl

curl --header "X-Authorization: 2ed9d72e5596800bf805ca1c735e446df72019ef" http://localhost:8000/api/v1/books

You should get the following response:

{
    "data": {
        "id": 1,
        "title": "The Great Adventures of Chris",
        "created_at": {
            "date": "2014-03-25 18:54:18",
            "timezone_type": 3,
            "timezone": "UTC"
        },
        "updated_at": {
            "date": "2014-03-25 18:54:18",
            "timezone_type": 3,
            "timezone": "UTC"
        },
        "deleted_at": null
    }
}

API Options

There are various options that can be specified for each method in your controller. These options can be specified inside the $apiMethods variable. Examples can be found below.

Turning off API key authentication for a specific method

By default, all the methods in the ApiGuardController will be authenticated. To turn this off for a specific method, use the keyAuthentication option.

<?php

use Chrisbjr\ApiGuard\Http\Controllers\ApiGuardController;

class BooksController extends ApiGuardController
{

    protected $apiMethods = [
        'show' => [
            'keyAuthentication' => false
        ],
    ];

    ...

}

This above example will turn off key authentication for the show method.

Specifying access levels for API methods

If you take a look at the api_keys table in your database, you will notice that there is a level field.

This will allow you to specify a level for your API key and if the method has a higher level than the API key, access will be restricted. Here is an example on how to set the level on a method:

<?php

use Chrisbjr\ApiGuard\Http\Controllers\ApiGuardController;

class BooksController extends ApiGuardController
{

    protected $apiMethods = [
        'show' => [
            'level' => 10
        ],
    ];
    
    ...

}

Now if your API key has a level of 9 or lower, then access to the show method will be restricted.

Limiting API key access rate

You can limit the rate at which an API key can have access to a particular method by using the limits.key option.

<?php

use Chrisbjr\ApiGuard\Http\Controllers\ApiGuardController;

class BooksController extends ApiGuardController
{

    protected $apiMethods = [
        'show' => [
            'limits' => [
                'key' => [
                    'increment' => '1 hour',
                    'limit' => 100
                ]
            ]
        ],
    ];
    
    ...

}

The above example will limit the access to the show method of an API key to 100 requests for every hour.

Note: The increment option can be any value that is accepted by the strtotime() method.

Limiting access to a method

There is also an option to limit the request rate for a given method no matter what API key is used. For this, we use the limits.method option.

<?php

use Chrisbjr\ApiGuard\Http\Controllers\ApiGuardController;

class BooksController extends ApiGuardController
{

    protected $apiMethods = [
        'show' => [
            'limits' => [
                'method' => [
                    'increment' => '1 day',
                    'limit' => 1000
                ]
            ]
        ],
    ];
    
    ...

}

The above example will limit the request rate to the show method to 1000 requests per day.

Note: The increment option can be any value that is accepted by the strtotime() method.

Logging at method level

You can set logging at method level by using the logged option.

<?php

use Chrisbjr\ApiGuard\Http\Controllers\ApiGuardController;

class BooksController extends ApiGuardController
{

    protected $apiMethods = [
        'show' => [
            'logged' => true
        ]
    ];
    
    ...

}

By default for all methods in api-guard, the option logged is set to true. Set it to false to exclude that method for logging.