I'm building a restful interface for a system that will support both anonymous and first-class accounts across mobile, console & web clients. I'm also a security noob. https & signing requests seems like the way to go for me (please correct me if wrong...) and it looks like that is what the digest authentication is doing, but I can't find anything in the documentation that explains how to implement. I have looked under the security and controller sections but nothing even mentions digest...
Anyone care to provide me with a rundown of what it is and how it works?
The most secure solution for web services is to encrypt using TLS, and authenticate using a client-side certificate. But that's very complex to setup, and for that reason it's usually implemented using a security gateway.
One step down are userid/password based solutions. Out of the box, the REST controller support basic and digest, both documented in http://www.faqs.org/rfcs/rfc2617. You can also implement your own solution, either based on Auth (a lot of people use that), or based on an OAuth implementation.
For basic and digest, copy fuel/core/config/rest.php to app/config, and modify it. It contains the Realm you authenticate against, the method used, and the list of valid username/password combinations (this is why a lot of people use Auth, it stores them in the database, hashed, instead of in a file, readable). After this it should work without further modifications.
If you decide to implement your own authentication method, I suggest you switch to 1.6(develop), it's Controller_Rest supports a custom auth method (besides basic and digest), in which you can implement whatever mechanism you want.
Donate
