This article covers the basic authorization of a Server Side application  built using DotKernel API

Protecting an endpoint

  • no-auth: the resource can be accessed without the need of authentication/authorization
  • authentication: the resource can be accessed only by authenticated users
  • authorization: the resource can be accessed only by authenticated AND authorized users

Configuring access to the endpoints is done by editing the following config file:

config/autoload/authorization.local.php

NOTE
If this file is missing from your application, locate it’s dist file: config/autoload/authorization.local.php.dist
and copy-paste it as the above-mentioned config/autoload/authorization.local.php

You should look for the array inside this config key: zend-expressive-authorization-rbac

'zend-expressive-authorization-rbac' => [
    'roles' => [
        'admin'  => [],
        'member' => ['admin'],
        'guest'  => ['member'],
    ],
    'permissions' => [
        'member' => [
            'avatar',
            'users',
            'user',
        ],
    ],
]

Under the key roles you can define role inheritance. In the above example

  • admin inherits from no other role
     'admin' => []
  • member inherits from admin
    'member' => ['admin']
  • guest inherits from member
    'guest' => ['member']

Of course, this setup is just a model, you should not use it in live projects because guests will end up having the same rights as admins.

Under the key permissions you can define which routes are accessible to a role. In the above example, a member has access to the routes named avatar, users and user.

1. No-auth endpoints:

These endpoints can be accessed without authentication/authorization. Examples could be: login, register, contact etc…
Creating a route for such an endpoint will use only the handler(s) responsible for returning the content:

$app->get('/users', UserHandler::class, 'users');

2. Endpoints requiring Authentication:

These endpoints can be accessed only if a valid Bearer token is present in the request headers. Else, the API will return a **401 Unauthorized** response. Creating a route for such an endpoint will have a structure similar to the following example:

$app->get('/users', [
    AuthenticationMiddleware::class,
    UserHandler::class
], 'users');

3. Endpoints requiring Authorization:

These endpoints can be accessed only if a valid Bearer token is present in the request headers. Else, the API will return a **403 Forbidden** response. Creating a route for such an endpoint will have a structure similar to the following example:

$app->get('/users', [
    AuthenticationMiddleware::class,
    AuthMiddleware::class,
    UserHandler::class
], 'users');

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.