r0r0 Posted June 2, 2014 Share Posted June 2, 2014 I have two questions, I was wondering what would be the best method to go about building client side API functions on top of a already built API eg. http://docs.whmcs.com/API:Functions We would like to provide our clients access to API functions related to their accounts without giving them access to the whole Admin API where they can see a lot of our other client information. The other question we have an API built using Basic HTTP Auth for API authenication (HTTPS). eg curl username:password http://api.etc.com) If so what would be the best way to secure this method? Thank you Quote Link to comment https://forums.phpfreaks.com/topic/288932-best-way-to-build-a-client-api-on-top-of-an-api/ Share on other sites More sharing options...
gizmola Posted June 2, 2014 Share Posted June 2, 2014 I'm not sure I understand your questions. If you have an API already, that you already secure using HTTP Auth, then what other security do you need? For segmenting API calls, typically you would add a "Role" relation to the user table. If you already have a lot of users and don't expect any role granularity you can simplify this somewhat by only adding rows & relations for "Admin" users possibly. A simple if ($user->isAdmin()) { // Existing admin code } Could be added. A second possibility would be to completely isolate the members api on a separate api subdomain ie. client.yoursite.com. Although more of a hack, you could add an attribute to the existing user table like "isApiUser". Then its a small change to your api access code to check for this attribute == 1, and disallow if they don't have it. Your client.yoursite.com api would allow any user to login, regardless of the "isApiUser" attribute. Quote Link to comment https://forums.phpfreaks.com/topic/288932-best-way-to-build-a-client-api-on-top-of-an-api/#findComment-1481656 Share on other sites More sharing options...
r0r0 Posted June 2, 2014 Author Share Posted June 2, 2014 Thank you, I'm starting to get a good idea of where to start. To clarify, the API above is from a billing software we use (ioncubed) so it was diffcult to edit the API provided. We wanted to provide our clients an API, while the API above is an Full Admin access API 1. For Example if you look at this particular method, http://docs.whmcs.com/API:Get_Invoices This command can be used to obtain all the invoices. 2. The API call shows you all of our client invoices (over 1000 clients). I wanted a way for a client "A" to be able to get all of their invoices without showing them invoices from Client "B", "C",etc 3. I wanted Client "A" to be able to use a similar call which in turn would show all of the invoices for the client ID related to that particular client. I hope I'm making some sense. Quote Link to comment https://forums.phpfreaks.com/topic/288932-best-way-to-build-a-client-api-on-top-of-an-api/#findComment-1481671 Share on other sites More sharing options...
gizmola Posted June 2, 2014 Share Posted June 2, 2014 Without looking in any detail at the whmcs api, you should be able to do what you want by wrapping their API calls in your own api, where you in essence proxy the requests for them. You would of course still need a user table and possibly some related tables to contain the information that you'd need to proxy along to the whmcs. You have the options of using a number of different client libraries to make the actual calls. Guzzle and Httpful are two relatively recent php libraries that have become popular for making REST calls. Guzzle, for example, was used by Amazon as the underlying core of their AWS PHP API v.2 client library. You could also use the good old curl extension, although I'd advocate using Guzzle instead, with the curl adapter. Since you're proxying calls from your server on behalf of your clients, you will need to insure that the proper filtration or parameters are sent by your client calls. Other than that, it sounds like you will be providing a REST client yourself, so all the rules of creating a good REST API are important. Quote Link to comment https://forums.phpfreaks.com/topic/288932-best-way-to-build-a-client-api-on-top-of-an-api/#findComment-1481709 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.