Allowed API insta-login via HTTP Basic Auth #3443
Conversation
colinmollenhour
changed the title
colinmollenhour
force-pushed
the
api-login-basic-auth
branch
from
7ad9f7f
to
31aba52
Compare
|
I tested and it works: public function jsonrpcAction()
{
$url = Mage::getStoreConfig('muze/stars/url');
$apiUser = Mage::getStoreConfig('muze/stars/user');
$apiKey = Mage::getStoreConfig('muze/stars/key');
$client = new Krixon_JsonRpc_Client($url);
$client->getHttpClient()->setAuth($apiUser, $apiKey);
$result = $client->call('call', [null, 'magento.info', []]); // session_id is set to null, no need to call login API!
var_dump($result);
}Question: the server needs to login for every call and create a new session ID. Is there a way around this? May be a way for the client to get the session ID to avoid constant login? Is this refactoring better: /**
* Allow insta-login via HTTP Basic Auth
*
* @param string $sessionId
* @return $this
*/
protected function _instaLogin(&$sessionId)
{
if ($sessionId === NULL && !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$sessionId = $this->login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
}
return $this;
}
public function call($sessionId, $apiPath, $args = [])
{
$this->_instaLogin($sessionId)
->_startSession($sessionId);
//... |
I think a further improvement would certainly be to somehow prevent the session from even being recorded in the
Probably, but it's a bit subjective when the duplicated code is so short. 🙂 |
|
:-D I didn't notice phpcs was complaining about the NULL thing :-D |
|
I fixed the phpcs thing, I'd merge it since it was already approved but I think we should really have a bit of documentation about this new interesting feature. Thing is, we can't continue stuffing the README with everything IMHO... |
|
Oops, I copied this from another project that uses upper-case NULL/TRUE/FALSE - also a habbit.. 😄 Thanks for fixing. The proper place for documentation would be here, although there is no mention of JSON API there either.. https://devdocs-openmage.org/guides/m1x/ |
|
absolutely, there's should be something about the jsonrpc thing too, but the devdocs... I don't know... it really seems ancient, I was checkin it and it seems to me that almost everything is nowadays irrelevant, it's great to have a mirror of the old docs, but I wouldn't know where to start to expand it :-\ |
|
I'll merge this because it was already approved and the subsequent commits were trivial. |
fballiano
changed the title
|
@colinmollenhour Will you be able to make another PR on bypassing the |
I can't do it right now.. I added an issue report for it though: #3449 |
Using the XMLRPC and JSONRPC API is a hassle because you have to login to get a session id and then use that session id in subsequent requests and then deal with expiration, etc. Some users also create new sessions in every new process so you end up with lots of login calls. This allows one to authenticate to the API without calling the login method but rather passing the username and password using HTTP Basic Auth. This allows a method to be called with a single API request making it much easier to consume the API with low-code tools. Pass
nullas the session id.Example request (PhpStorm format):