In my regular base controllers that check a valid session for authentication I do a check in the before() of my base and redirect to my login/site-root with error if things fail.
Working on REST-like API setup and in implementing similar pattern would like to avoid the redirect and just return a 401 un-authorized status and a mini json error bundle.
Problem I am running into is that the Auth check is in my before() base api controller, and the flow will always execute the action after the failed auth check. Is there any built in way to skip the action and just return the error from the before? Else, is there better pattern for putting in auth check sanz fail redirect?
In the request class appears that it does before/action-call/after one right after the other with no checks or escapes possible
With REST controllers you should not use before, and do no redirect.
Controller_Rest contains an option in the rest.php configuration file to configure your auth method. It supports 'basic' and 'digest' for manual authentication, but you can also use it to define a local controller method which will do the auth for you. You can do this in the controller itself, or in a base controller so it works automatically for all your REST controllers.
This method can set a custom REST response, and should return a boolean to indicate wether or not the authentication was succesful.
You could check for major changes on the Controller_Rest class between your version and now, and if there are no dependencies to other classes, you could backport the base controller?
Went ahead and used this as tipping point to upgrade. Got most of the merging done, still some errors in main app, but going to move on to getting this API stuff going.
In regards to 1.6 REST controllers, some questions around the cfg and auth.
You can pass the function name to check for auth validity, I take it this means that every route/call will hit this? If this is case, seems like this is where I would check for valid session and return error if one doesnt exist?
With new REST controller setup, looks like its not possible to have public and authenticated REST controllers/actions. For instance, I would have auth/login, and a few other routes not requiring authentication. Is this possible? Or should I just make my "public" REST routes/actions be non REST controllers and just spit back json?
With the response() method, would that just be put in my "base" REST class, and thats what gets called when the authentication function, or general action returns?
Correct, every request will call the auth method defined. All you need to do is check the authorisation, and return true if authorized, and false if not.
If the Auth method returns false, the REST controller will return
Donate
