Posted by on | Featured | No Comments

This article covers the basic authorization of a Server Side application  built using DotKernel API

Protecting an endpoint

  • no-auth: the resource can be accessed without the need of authentication/authorization
  • authentication: the resource can be accessed only by authenticated users
  • authorization: the resource can be accessed only by authenticated AND authorized users

Configuring access to the endpoints is done by editing the following config file:

config/autoload/authorization.local.php

NOTE
If this file is missing from your application, locate it’s dist file: config/autoload/authorization.local.php.dist
and copy-paste it as the above-mentioned config/autoload/authorization.local.php

You should look for the array inside this config key: zend-expressive-authorization-rbac

'zend-expressive-authorization-rbac' => [
    'roles' => [
        'admin'  => [],
        'member' => ['admin'],
        'guest'  => ['member'],
    ],
    'permissions' => [
        'member' => [
            'avatar',
            'users',
            'user',
        ],
    ],
]

Under the key roles you can define role inheritance. In the above example

  • admin inherits from no other role 
     'admin' => []
  • member inherits from admin 
    'member' => ['admin']
  • guest inherits from member 
    'guest' => ['member']

Of course, this setup is just a model, you should not use it in live projects because guests will end up having the same rights as admins.

Under the key permissions you can define which routes are accessible to a role. In the above example, a member has access to the routes named avatar, users and user.

1. No-auth endpoints:

These endpoints can be accessed without authentication/authorization. Examples could be: login, register, contact etc…
Creating a route for such an endpoint will use only the handler(s) responsible for returning the content:

$app->get('/users', UserHandler::class, 'users');

2. Endpoints requiring Authentication:

These endpoints can be accessed only if a valid Bearer token is present in the request headers. Else, the API will return a **401 Unauthorized** response. Creating a route for such an endpoint will have a structure similar to the following example:

$app->get('/users', [
    AuthenticationMiddleware::class,
    UserHandler::class
], 'users');

3. Endpoints requiring Authorization:

These endpoints can be accessed only if a valid Bearer token is present in the request headers. Else, the API will return a **403 Forbidden** response. Creating a route for such an endpoint will have a structure similar to the following example:

$app->get('/users', [
    AuthenticationMiddleware::class,
    AuthMiddleware::class,
    UserHandler::class
], 'users');

Looking for PHP, Laminas or Mezzio Support?

As part of the Laminas Commercial Vendor Program, Apidemia offers expert technical support and services for:

  • Modernising Legacy Applications
  • Migration from any version of Zend Framework to Laminas
  • Migration from legacy Laminas API Tools (formerly Apigility) to Dotkernel API
  • Mezzio and Laminas Consulting and Technical Audit
    • Talk to an Expert

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>