Secure API and JSON to show content on another domain?

[Cobra23]

Hi Guys,

 

I'm new to this API and JSON stuff so bare with me. Is there any source code available that allows me to start off building an admin panel on site A where users can't get the source code from the site once they log into site A admin panel. I heard that JSON can do this.

 

Also is there a simple Secure API source code that allows site A to show content on site B (another domain)? I don't want to use iFrames as i want to be able to edit the content on site A for site B to automatically be changed when it's saved. Also another site (site C) to have their own content thats different to site B.

 

What i'm really looking for is the full source codes with steps by steps on how to change this the way i want to change it. I've searched online for 2 weeks now and am still struggling to find anything and how to implement it. Even with REST. Can you please advice me on this with any helpful solutions.

 

I hope this is clear enough.

 

Thanks

[requinix]

This isn't the kind of stuff where you can copy some code you find online and have it up and running in an afternoon. It involves actual learning. And time spent learning. Are you willing to do that?

[Cobra23]

Thats why i'm here. I know it's going to be implementing bits by bits of different programming languages and was hoping to see if there is a quick solution for each of those parts that will help me on my way to what I want to do.

 

As I have said, I'm new to API's and JSON. I was really hoping to be guided on how I can go about this with any quick solution to generate the codes if possible (which would be a bonus but unlikely). I also want to see what is the best options for each one especially the kind of API's to use as well as if JSON is the right secure solution for this project or if there are other choices that would be recommended.

 

Just to note that my main skills are html, php, css, javascript, sql.

Edited November 25, 2015 by Cobra23

[Jacques1]

There is no quick solution and no step-by-step guide. You'll actually have to write the code yourself.

 

I'm also not sure why you're so obsessed with JSON. That's just a data format, it doesn't do anything. Whether you use JSON or XML or whatever is an implementation detail and completely irrelevant at this point. You can worry about it later.

 

I'd approach this problem top down. That is, you first need to know what you want. Since your initial description is very vague, I'm not sure if that's the case. The next step is to come up with a sensible high-level architecture. Who provides data for whom? And finally you take care of the implementation.

 

You seem to have it backwards. You're throwing around buzzwords like “REST” or “JSON”, but there's no clear goal beyond “site B shows content from site A” (which applies to roughly 99% of the WWW).

 

And some parts of your description don't really make sense. You've said you don't want your admin users to see your code. What code? And why would they see it?

[QuickOldCar]

Am going to write a summarized version how can make an api with what you asked.

 

Make a directory named api, in apache config create a new virtualhost for it

Replace the word domain to yours and be sure to restart apache

<VirtualHost *:80>
        ServerName api.domain.com
        DocumentRoot /var/www/api
        <Directory /var/www/api>
            Options +Indexes
			allow from all
        </Directory>
</VirtualHost>

If want ssl get a certificate and also add this, save your cert under ssl directory

<VirtualHost api.domain.com:443>
	ServerName api.domain.com
	DocumentRoot /var/www/api
        <Directory /var/www/api>
            Options +Indexes
			allow from all
        </Directory>
	SSLEngine on
	SSLCertificateKeyFile /etc/apache2/ssl/api.domain.com.key
	SSLCertificateFile /etc/apache2/ssl/api.domain.com.cert
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


</VirtualHost>

Create an index file in the api directory, this will be used as your api front door (api.domain.com)

The api will use REST and GET parameters or w/e CRUD design you come up with

 

You should have a cms, user accounts.

Create a system that generates public and private keys and ability to create new ones, save keys to a database each users account.

Create a form that users can allow or deny ip's or domains,subdomains, save those to a database under that user or even script/service specific each users account.

The client would connect over a http request

They would be using GET parameters in the url

Designate what script to access, the public or private key can determine or limit what that clients actions can perform...such as CREATE,EDIT,DELETE for private keys, the format type of the output, any other parameters needed.

 

Obtain the clients ip

$remote_ip = $_SERVER['REMOTE_ADDR'];
if (strstr($remote_ip, ', ')) {
    $ips = explode(', ', $remote_ip);
    $remote_ip = $ips[0];
}

Can do a query using the supplied access key to associate to that user and their allowed ip's or domains.

Is the key valid? if not deny them, if so you now know the user

If want to check a domain, can use gethostbyaddr and discover their domain.

Is the ip or domain not in their allowed list or in a disallow list? if so deny them

 

Can place any additional checks you want into this, such as a credits system, suspended,banned and so on.

 

You would hold all the data in an array, doing checks as you go along, if is an error then deny access, can show whatever messages desire in the output.

 

Through the api you can use various header fields

You can do multiple format outputs as a GET parameter, setting json as default if does not exist in url

 

Here is an example how I do mine:

//check format
if (isset($_GET['format']) && trim($_GET['format']) != '') {
    $format = trim($_GET['format']);
} else {
    $format = "json";
}

$format_array = array(
    "json",
    "xml",
    "html",
    "iframe"
);
if (!in_array($format, $format_array)) {
$errors['format'] = "Improper format used";
    $format = "json";
}

I incorporate a few switches, one to determine which script to include depending the service required via url

Another switch would be to determine the header type for output

switch ($format) {
    case 'json':
        header('Content-Type: application/json; charset=utf-8');
        echo json_encode(array(
                'data' => $array
            ),true);
    break;
    
    case 'xml':  
header('Content-Type: text/xml; charset=utf-8');      
//build your xml document and tree structure
    break;
    
    case 'html':
//create html document and data
    break;

    case 'iframe':
//show iframe content
    break;
}

If all checks passed the appropriate script would be included, should not allow any other domain to access it unless was allowed by that user.

Tracking and usage can be added by a simple hit counter if all the checks passed and actually used.

[QuickOldCar]

I wrote this post over as my first one got lost due to browser opening a new tab, was not happy about that.

 

I mentioned oauth which you may want to look into.

[Adam]

I wrote this post over as my first one got lost due to browser opening a new tab, was not happy about that.

 

Ouch 

[ignace]

There's no need to re-invent the wheel:

APIgility provides an API out-of-the-box.

RESTler transforms your classes into REST objects.

DREST does the same thing but for Doctrine entities.

 

If you use Symfony, you can add the SyliusResourceBundle which is similar to DREST as it provides CRUD for Doctrine entities.