Comments on: Putting semi-RESTful API development to… rest

By: teknoid

teknoid — Mon, 23 May 2011 15:21:39 +0000

@Stephen

It might have something to do with HTTP headers and content type.
I think if you send your request as “text/plain”, it won’t be POST’ed properly.

There’s a simple firefox add-on called “poster”, which can help set the correct headers/content type and further troubleshoot the problem

By: Stephen

Stephen — Thu, 19 May 2011 20:24:33 +0000

This works fine for me except that my api_info() action will not accept post vars, I’ve tried all sorts! var_dump(file_get_contents(‘php://input’)) will receive the Request Body but nothing will transfer the Request Headers into $_POST variables. Know any reason why this may happen? Thanks in advance

By: teknoid

teknoid — Tue, 27 Jul 2010 18:02:21 +0000

@red

Thanks, I’ll give it a shot to see if it works for me now as well.

By: red

red — Tue, 27 Jul 2010 16:16:20 +0000

Ops, looks like comments are not escaped :) I mean insted of:

Better is:
echo $this->Xml->header();

By: red

red — Tue, 27 Jul 2010 16:14:37 +0000

Regarding the not-cake-way header(“content-type: text/xml”) I’ve found that putting in controller:
$this->RequestHandler->respondAs(‘xml’);
$this->RequestHandler->setContent(‘xml’, ‘text/xml’);

Works perfect, no need to set up header in view anymore.

Oh, and instead of:
echo ”;

I think better is:
Xml->header(); ?>

By: teknoid

teknoid — Tue, 29 Jun 2010 14:46:00 +0000

@kvz

Thanks, that’s great. I’ll give it a shot once I come back around to this part of the project.

By: kvz

kvz — Tue, 29 Jun 2010 12:44:49 +0000

Hey teknoid,

FYI, I’ve developed a plugin for Cake that does this & some more:
http://github.com/kvz/cakephp-rest-plugin

By: teknoid

teknoid — Mon, 28 Jun 2010 18:36:14 +0000

@Mandy

These are very good questions, and would supplement the article very well… but I wanted to stay on point.
That being said, there a few common solutions for the authentication.

1. IP restriction on the server side, basically if you have the IP(s) of the requesting server (such as a partner site), this is probably the “safest” way to control access… however it should be done in your firewall or server config.
2. Issue a token…
a. The user must first request an authorization.
b. You issue a token (some random string) which must be supplied with any following request… again combining this with something like a hashed IP + username would make the access even more secure.
c. This token would persist for a limited amount of time. Such scheme is used by many API’s including popular credit card gateways and your favorite sites like PayPal :)
3. You could agree with the third party on a specific public/private key combo and only allow access based on the fact that the both requirements are met.

The one point that’s a bit harder to control is the amount of hits to the API, again, IMO, this should not be handled on the application level, but rather at the server/firewall settings.

By: Mandy

Mandy — Mon, 28 Jun 2010 18:19:34 +0000

great article!

however, i would like to know your thoughts on api authentication.

what if the api user needs to be identified by a api_key and secret ?

is there an easy way to just make sure all api functions are protected by it ?

how can we take care of rate limiting if we are going to get hammered by hits ?

i know some of my questions are beyond the scope of your article but since i was working on an api, i was trying to answers these myself when i read your article :)

-mandy.

By: Tweets that mention Putting semi-RESTful API development to… rest « nuts and bolts of cakephp -- Topsy.com

Mon, 28 Jun 2010 00:51:58 +0000

[...] This post was mentioned on Twitter by Dennis James, ber clausen. ber clausen said: RT: @cakephp_dennis: Putting semi-RESTful API development > http://bit.ly/cLmu9M < nice one here :) [...]