In the previous article, we have created a RESTful API on top of ReactPHP HTTP server. Now we want to protect our API and add authentication. When it comes to securing a RESTful API things became interesting because a truly RESTful API should remain stateless. It means that the server doesn’t store sessions, all the information that the server needs to handle each request should be contained in the request itself.

Basic HTTP Authentication

Basic authentication is the type of HTTP authentication, in which login credentials are sent along with the headers of the request.

The client requests a protected URL and the server responses with 401 Not Authorized code. In return, the client sends back the same request but with login credentials as a base64-encoded string in format username:password. This string is being sent via the Authorization header as the following:

Authorization: Basic {base64_encode(username:password)}

For example, if the username is user and password is secret, the following header will be sent within the request:

Authorization: Basic cm9vdDpzZWNyZXQ=

To enable Basic HTTP Authentication in ReactPHP HTTP server we can use a PSR-15 middleware for it:

$ composer require middlewares/http-authentication

This middleware requires any PSR-7 HTTP library. For example, we can use Guzzle implementation:

$ composer require guzzlehttp/psr7

But still, it is not enough. We can’t use plain PSR-15 middleware with ReactPHP server, instead, we should use PSR15Middleware adapter:

$ composer require for/http-middleware-psr15-adapter

Now, we are ready to make our RESTful API secure. Instantiate a PSR-15 BasicAuthentication middleware and provide credentials:

<?php

// ...

$credentials = ['user' => 'secret'];

$basicAuth = \Middlewares\BasicAuthentication::class, [$credentials]);

Here we have a middleware that supports only one user. Then we need to wrap it in a special ReactPHP adapter:

<?php

// ...

$credentials = ['user' => 'secret'];

$basicAuth = new PSR15Middleware(
  $loop, 
  \Middlewares\BasicAuthentication::class, [$credentials]
);

PSR15Middleware constructor requires an event loop, a class of the middleware being wrapped, and an array of constructor parameters for this middleware.

Now, we can use this wrapped middleware inside the server. Place $basicAuth before the router. It is important because if the authentication failed, there is no need to dispatch the route:

<?php

// ...

$credentials = ['user' => 'secret'];

$basicAuth = new PSR15Middleware(
  $loop,
  \Middlewares\BasicAuthentication::class, [$credentials]
);

$server = new Server([$basicAuth, new Router($routes)]);

Done. From now, to get access to our API the client should provide Authorization header. For example, for our credentials it will be the following value:

Authorization: Basic dXNlcjpzZWNyZXQ=

If you try to request any route without Authorization you will receive 401 response:

Basic HTTP authentication is probably the quickest and easiest way to add to protect your REST API. It does not require cookies, session, login pages, or any other solutions, and because it uses the HTTP header itself, there’s no need to handshakes or other complex response systems. Looks simple, right? But there are some drawbacks of using HTTP Basic authentication:

  • the username and password are sent with every request and thus can be potentially exposed
  • expiration of credentials is not trivial

So, this authentication method shouldn’t be used on an open network since base64-encoded string can be easily decoded.

Further Reading: in the next article we will cover another solution to protect our RESTful API - JWT Authentication.

You can find examples from this article on GitHub.

This article is a part of the ReactPHP Series.