It has a database and a server-side PHP application to provide a REST API functionality to clients written in PHP, Bash, Python, Node, HTML/JavaScript (with a proxy written in PHP) and HTML/JavaScript with Oauth2 / OpenID Connect.
Authentication is done with the use of bearer tokens provided by Okta. For a version of the REST API without authentication, please refer to this project.
This system simulates the registering of persons on a database.
The following diagram shows all the clients on top, the server-side on the bottom part and Okta authentication above the clients. REST API Architecture diagram
The front controller authenticates the clients using the authenticate
function. It will strip the client's Authorization request header and extract the bearer token. The token is of type JSON Web Token (JWT) and it will contain the client ID inside (in the payload portion of the token). That will be also saved to verify the token. The reason is that this REST API server may authenticate different types of clients, including "machine-to-machine" and "Single Page Applications (SPA)" authentication, which have distinct client IDs.
The authentication
function will then use Okta's JwtVerifier object to verify the token. Once verified, the front controller will process the request. In case verification fails the client will get back a 401 Unauthorized
HTTP response.
- FrontController: implemented in the index.php, it validates and authenticates the request. Then, the FrontController processes it by calling the
PersonController
'sprocessRequest
method. - DatabaseConnector: implemented in DatabaseConnector.php and called by bootstrap.php, which will be imported (required) by index.php, it opens the connection to the database. The database parameters are located in the .env local file, and are loaded by phpdotenv.
- PersonController: implemented in PersonController.php, it instantiates the
PersonGateway
to handle the database processes. It also implements the method verification, data validation/sanitization. Depending on the HTTP method a different method fromPersonGateway
is invoked. - PersonGateway: implemented in PersonGateway.php, it is the "model" that handles database activities. It implements the methods with PDO prepare to protect the database from SQL injection.
- Be sure to have PHP installed.
- Clone this repository, enter in the root folder and run
php -S 127.0.0.1:8000 -t public
(it can be run as well with any Web server, or in the background by forking with&
ornohup
). - If using the test with proxy (check the client section to verify which client needs it), the proxy code must be run with
php -S 127.0.0.1:8001 src/Proxy/proxy.php
.