[Flow] Implementing API key security in a Flow application

Søren Malling soren.malling at gmail.com
Mon Oct 28 16:15:36 CET 2013 

Hi Pankaj,

That could be a easy first step solution.

That way I can create a account/party model that holds the allowed action
(GET, POST, PUT etc.) for that key.

Is that a good way (in terms of performance) compared to a own
implementation of a Policy.yaml checking with a logged in account (based on
the API key)?

And how would I be able to keep the session a live, so they don't need to
submit the api key on each hit? Or what is the best practice?

Cheers

Søren


On Fri, Oct 25, 2013 at 10:03 PM, Pankaj Lele <pankaj at lelesys.com> wrote:

> Hi Søren,
>
> I assume you must want to check  the API key in some database for validity.
>
> So instead of going in some deep firewall fiter or writing own
> interceptor, you can simply create a authentication provideer and a API key
> token. Then the party should be authenticated and then you can simply
> implement the Policy restirctions on your Rest controllers. Did you already
> try this?
>
> -Pankaj
>
>
>  Hi,
>>
>> I'm developing a Flow application, where we have a Rest API.
>>
>> For that purpose we will only accept request with a correct API key send
>> along with the request.
>>
>> For this purpose I thought about adding it as a firewall filter like
>> described in the documentation
>>
>> http://docs.typo3.org/flow/**TYPO3FlowDocumentation/stable/**
>> TheDefinitiveGuide/PartIII/**Security.html<http://docs.typo3.org/flow/TYPO3FlowDocumentation/stable/TheDefinitiveGuide/PartIII/Security.html>
>>
>> So I've created a Api interceptor and a voter (based on the AccessDeny
>> classes), but I'm kinda stucked here.. In which one of these to should I
>> implement the API key check? And how can I access the current request to
>> get the controller and method name trying to be accessed?
>>
>> I hope you can help me in some direction
>>
>> Cheers
>>
>> Søren
>>
>
>
> --
> Pankaj Lele
> CTO - Lelesys, India
> http://www.lelesys.com
> Twitter: @pankajlele
>
>
> ______________________________**_________________
> Flow mailing list
> Flow at lists.typo3.org
> http://lists.typo3.org/cgi-**bin/mailman/listinfo/flow<http://lists.typo3.org/cgi-bin/mailman/listinfo/flow>
>

More information about the Flow mailing list